Kav6.0 Wseeadminguide en

KASPERSKY LAB
Kaspersky Anti-Virus 6.0 for

Windows Servers Enterprise
Edition
ADMINISTRATOR’S
GUIDE
KASP ERSKY ANTI -VIRUS 6.0 F OR WINDOWS SERVERS
ENTERPRISE EDITION
Administrator’s Guide
 Kaspersky Lab
http://www.kaspersky.com
Revision date: July, 2008

Contents
CHAPTER 1. INTRODUCTION ................................................................................ 12
1.1. General Anti-Virus information ........................................................................ 12
1.1.1. Real-time protection and on-demand scan............................................... 13
1.1.2. About threats detectable by Anti-Virus...................................................... 14
1.1.3. About infected and suspicious objects and objects that may potentially
contain malicious code............................................................................. 17
1.2. Obtaining information about Anti-Virus............................................................ 18
1.2.1. Sources of information to research on your own....................................... 19
1.2.2. Contacting the Sales Department............................................................. 20
1.2.3. Contacting the Technical Support service ................................................ 21
1.2.4. Discussing Kaspersky Lab's applications at the web forum ...................... 22
CHAPTER 2. WORKING WITH ANTI-VIRUS CONSOLE IN MMC AND ACCESS

TO ANTI-VIRUS FUNCTIONS ................................................................................. 25
2.1. About the Anti-Virus console in MMC.............................................................. 25
2.2. Advanced configuration after installation of the Anti-Virus Console in MMC
on another computer ...................................................................................... 26
2.2.1. Adding Anti-Virus users to the KAVWSEE Administrators group on the
protected server ....................................................................................... 27
2.2.2. Allowing network connections for Anti-Virus management service on
the server running Microsoft Windows Server 2008 ................................. 28
2.2.3. Enabling network connections for the Anti-Virus ММС Console in
Microsoft Windows XP SP1 ..................................................................... 29
2.2.4. Enabling network connections for the Anti-Virus ММС Console in
Microsoft Windows XP SP2 or Microsoft Windows Vista .......................... 29
2.3. Starting the Anti-Virus console from the Start menu........................................ 31
2.4. Anti-Virus icon in the notification area of the task tray...................................... 32
2.5. Anti-Virus console window .............................................................................. 34
2.6. Distribution of access permissions to Anti-Virus functions ............................... 34
2.6.1. About access permissions to Anti-Virus functions..................................... 35
2.6.2. Configuring access rights to the Anti-Virus functions ................................ 36
2.7. Starting and stopping ...................................................................................... 38
4 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition
CHAPTER 3. GENERAL ANTI-VIRUS SETTINGS .................................................. 40

3.1. About general Anti-Virus settings .................................................................... 40
3.2. Configuring general Anti-Virus settings ........................................................... 40
CHAPTER 4. IMPORTING AND EXPORTING ANTI-VIRUS SETTINGS............... 44

4.1. About importing and exporting settings ........................................................... 44
4.2. Exporting settings ........................................................................................... 45
4.3. Importing settings ........................................................................................... 46
CHAPTER 5. TASK MANAGEMENT ....................................................................... 48

5.1. Categories of Anti-Virus tasks ......................................................................... 48
5.2. Creating a task................................................................................................ 50
5.3. Saving task after changing its settings ............................................................ 52
5.4. Renaming tasks.............................................................................................. 52
5.5. Deleting tasks ................................................................................................. 53
5.6. Starting/pausing/resuming/stopping tasks manually........................................ 53
5.7. Managing task schedules ............................................................................... 53
5.7.1. Configuring task schedules ...................................................................... 54
5.7.2. Enabling and disabling scheduled launch................................................. 58
5.8. Viewing task statistics ..................................................................................... 58
5.9. Using a different user account to launch a task ............................................... 59
5.9.1. About using accounts to launch tasks....................................................... 59
5.9.2. Specifying the user account for running tasks........................................... 60
CHAPTER 6. REAL-TIME PROTECTION ................................................................ 62

6.1. About real-time protection tasks...................................................................... 62
6.2. Configuring Real-time file protection task ........................................................ 62
6.2.1. Protection area in the Real-time file protection task .................................. 65
6.2.2. Configuring security settings for a selected node...................................... 71
6.2.3. Selecting protection mode........................................................................ 82
6.3. Real-time file protection task statistics............................................................. 83
6.4. Configuring the Script monitoring task............................................................. 85
6.5. Script monitoring task statistics ....................................................................... 86
CHAPTER 7. BLOCKING ACCESS FROM COMPUTERS IN THE REAL-TIME

FILE PROTECTION TASK ....................................................................................... 87
7.1. About blocking access from computers to the protected server....................... 87
7.2. Enabling or disabling automatic blocking of access from computers ............... 88
Contents 5
7.3. Configuring settings of automatic access blocking from computers................. 89

7.4. Excluding computers from automatic blocking (Trusted computers) ............... 91
7.5. Preventing virus outbreaks ............................................................................. 92
7.6. Viewing the list of computers to which access to the server is prohibited ........ 94
7.7. Blocking access from computers: Blocking access from a computer
manually ........................................................................................................ 95
7.8. Unblocking access from a computer ............................................................... 97
7.9. Viewing blocking statistics............................................................................... 97
CHAPTER 8. TRUSTED ZONE................................................................................ 99

8.1. About Anti-Virus trusted zone ......................................................................... 99
8.2. Adding exclusions to the trusted zone........................................................... 101
8.2.1. Adding process to the list of trusted processes ....................................... 101
8.2.2. Disabling the real-time file protection task for the time of backup copying105
8.2.3. Adding exclusion rules ........................................................................... 105
8.3. Applying a trusted zone ................................................................................ 109
CHAPTER 9. ON-DEMAND SCAN ........................................................................ 111

9.1. About on-demand scan tasks ....................................................................... 111
9.2. Configuring on-demand tasks ....................................................................... 112
9.2.1. Scan scope in the on-demand scan tasks .............................................. 113
9.2.2. Configuring security settings for the selected node................................. 120
9.3. Running a background on-demand scan task............................................... 131
9.4. On-demand scan task statistics .................................................................... 133
CHAPTER 10. UPDATING ANTI-VIRUS BASES AND APPLICATION MODULES136

10.1. About updating Anti-Virus bases ................................................................. 136
10.2. About updating application modules ........................................................... 138
10.3. Schemes for updating bases and application modules of the Anti-Virus
applications used within the organization ..................................................... 139
10.4. Updating tasks ............................................................................................ 143
10.5. Configuring updating tasks.......................................................................... 144
10.5.1. Selecting the update source, configuring the connection with the
update source and regional settings....................................................... 145
10.5.2. Configuring Updating application modules task settings ....................... 150
10.5.3. Configuring Download updates task settings........................................ 152
10.6. Updating task statistics ............................................................................... 153
10.7. Rolling back Anti-Virus database updates ................................................... 154
10.8. Rolling back application modules update .................................................... 154
CHAPTER 11. ISOLATION OF SUSPICIOUS OBJECTS. USING QUARANTINE 155

11.1. About isolation of suspicious objects ........................................................... 155
11.2. Viewing quarantined objects ....................................................................... 156
11.2.1. Sorting quarantined objects .................................................................. 158
11.2.2. Filtering quarantined objects................................................................. 159
11.3. Scanning quarantined objects. The Scan Quarantine task settings............. 160
11.4. Restoring objects from quarantine .............................................................. 162
11.5. Quarantining files ........................................................................................ 166
11.6. Deleting objects from quarantine................................................................. 166
11.7. Sending suspicious object to Kaspersky Lab for analysis............................ 167
11.8. Configuring quarantine settings................................................................... 169
11.9. Quarantine statistics ................................................................................... 171
CHAPTER 12. BACKUP COPYING OF OBJECTS BEFORE

DISINFECTION/DELETION; USING BACKUP STORAGE.................................... 173
12.1. About backup copying of objects before disinfection / deletion .................... 173
12.2. Viewing files stored in Backup..................................................................... 174
12.2.1. Sorting files in Backup .......................................................................... 176
12.2.2. Filtering files in Backup......................................................................... 176
12.3. Restoring files from Backup ........................................................................ 178
12.4. Deleting files from Backup .......................................................................... 181
12.5. Configuring backup storage settings ........................................................... 182
12.6. Backup storage statistics ............................................................................ 183
CHAPTER 13. EVENT REGISTRATION................................................................ 185

13.1. Methods of event registration ...................................................................... 185
13.2. Task execution reports................................................................................ 186
13.2.1. About task execution reports ................................................................ 186
13.2.2. Viewing summary reports. Summary reports' status............................. 187
13.2.3. Sorting reports...................................................................................... 191
13.2.4. Viewing detailed report about task execution........................................ 191
13.2.5. Exporting information from a detailed report into a text file.................... 196
13.2.6. Deleting reports .................................................................................... 196
13.2.7. Report and event log detail level settings.............................................. 197
13.3. System audit log ......................................................................................... 199
13.3.1. Sorting events in System audit log........................................................ 200
Contents 7
13.3.2. Filtering events in System audit log ...................................................... 201

13.3.3. Deleting objects from System audit log................................................. 202
13.4. Anti-Virus statistics...................................................................................... 203
13.5. Anti-Virus event log in Event Viewer ........................................................... 207
CHAPTER 14. INSTALLING AND DELETING LICENSE KEYS ............................ 209

14.1. About Anti-Virus license keys...................................................................... 209
14.2. View installed keys info ............................................................................... 210
14.3. Key installation............................................................................................ 212
14.4. Deleting keys .............................................................................................. 213
CHAPTER 15. CONFIGURING NOTIFICATIONS ................................................. 214

15.1. Methods for notifying the administrator and users ....................................... 214
15.2. Notification settings ..................................................................................... 216
CHAPTER 16. ANTI-VIRUS COMMAND LINE COMMANDS ................................ 225

16.1. Displaying Anti-Virus command help. KAVSHELL HELP............................ 227
16.2. Anti-Virus service startup or shutdown. KAVSHELL START, KAVSHELL
STOP........................................................................................................... 227
16.3. Scanning selected area. KAVSHELL SCAN ............................................... 228
16.4. Starting the Scan my computer task. KAVSHELL FULLSCAN ................... 232
16.5. Managing the specified task in asynchronous mode. KAVSHELL TASK .... 233
16.6. Starting and stopping real-time protection tasks. KAVSHELL RTP ............. 235
16.7. Starting Anti-Virus bases update task . KAVSHELL UPDATE .................... 235
16.8. Rollback of the Anti-Virus bases update. KAVSHELL ROLLBACK ............. 239
16.9. Installing and deleting keys. KAVSHELL LICENSE .................................... 240
16.10. Enabling, configuring and disabling the tracking log. KAVSHELL TRACE 241
16.11. Enabling and disabling dump file creation. KAVSHELL DUMP ................. 242
16.12. Importing settings. KAVSHELL IMPORT .................................................. 243
16.13. Exporting settings. KAVSHELL EXPORT ................................................. 244
CHAPTER 17. RETURN CODES........................................................................... 245
CHAPTER 18. MANAGING ANTI-VIRUS AND VIEWING ITS STATUS ................ 252
18.1. Starting and stopping the Anti-Virus service................................................ 252
18.2. Viewing the server protection status............................................................ 253
18.3. Viewing the Anti-Virus statistics................................................................... 255
18.4. Viewing Anti-Virus details............................................................................ 257
18.5. Viewing information about installed keys..................................................... 258
CHAPTER 19. CREATING AND CONFIGURING POLICIES................................. 261

19.1. About policies ............................................................................................. 261
19.2. Creating a policy ......................................................................................... 262
19.3. Configuring a policy .................................................................................... 268
19.4. Disabling / resuming scheduled launch of local predefined tasks ............... 272
CHAPTER 20. CONFIGURING ANTI-VIRUS IN THE APPLICATION SETTINGS

DIALOG BOX ......................................................................................................... 274
20.1. The Application Settings dialog box ............................................................ 274
20.2. Configuring general Anti-Virus settings ....................................................... 276
20.3. Blocking access from computers ................................................................ 279
20.3.1. Enabling or disabling automatic blocking of access from computers..... 280
20.3.2. Configuring settings of automatic access blocking from computers ...... 281
20.3.3. Excluding computers from blocking (Trusted computers) ..................... 282
20.3.4. Preventing virus outbreaks ................................................................... 283
20.3.5. Viewing the server access blocking list................................................. 285
20.3.6. Manually blocking access from computers ........................................... 286
20.3.7. Unblocking access from computers...................................................... 287
20.4. Managing quarantined objects and configuring the quarantine settings ...... 288
20.4.1. Quarantine functions and configuration tools ........................................ 288
20.4.2. Configuring quarantine settings ............................................................ 289
20.5. Managing files in Backup and configuring backup storage settings ............. 291
20.5.1. Functions of Backup and tools used to control these functions ............. 291
20.5.2. Configuring Backup settings ................................................................. 291
20.6. Configuring notifications.............................................................................. 293
20.6.1. General information.............................................................................. 293
20.6.2. Configuring administrator's and users' notifications on the Notification
tab.......................................................................................................... 295
20.7. Managing the trusted zone ......................................................................... 296
20.7.1. Adding processes to the list of trusted processes ................................. 296
20.7.2. Disabling real-time file protection during backup copying...................... 298
20.7.3. Adding exclusions to the trusted zone .................................................. 299
20.7.4. Applying a trusted zone ........................................................................ 302
CHAPTER 21. CREATING AND CONFIGURING TASKS ..................................... 303

21.1. About creating tasks ................................................................................... 303
21.2. Creating tasks............................................................................................. 303
Contents 9
21.3. Configuring a task ....................................................................................... 313

21.4. Managing full scans of servers Assigning the "full computer scan" status to
an on-demand scan task.............................................................................. 315
CHAPTER 22. PERFORMANCE COUNTERS FOR SYSTEM MONITOR ............ 318

22.1. About Anti-Virus performance counters ...................................................... 318
22.2. Total number of denied requests ................................................................ 319
22.3. Total number of skipped requests ............................................................... 320
22.4. Number of requests not processed because of lack of system resources ... 321
22.5. Number of requests sent to be processed .................................................. 321
22.6. Average number of file interception dispatcher streams .............................. 322
22.7. Maximum number of file interception dispatcher streams............................ 323
22.8. Number of infected objects in processing queue ......................................... 324
22.9. Number of objects processed per second................................................... 325
CHAPTER 23. ANTI-VIRUS SNMP COUNTERS AND TRAPS ............................. 326

23.1. About Anti-Virus SNMP counters and traps ................................................ 326
23.2. Anti-Virus SNMP counters .......................................................................... 326
23.2.1. Performance counters.......................................................................... 327
23.2.2. General counters.................................................................................. 327
23.2.3. Update counter .................................................................................... 328
23.2.4. Real-time protection counters............................................................... 328
23.2.5. Quarantine counters............................................................................. 329
23.2.6. Backup counters .................................................................................. 330
23.2.7. Server access blocking counters .......................................................... 330
23.2.8. Counters for scanned scripts ................................................................ 330
23.3. SNMP traps ................................................................................................ 330
APPENDIX A. DESCRIPTION OF GENERAL ANTI-VIRUS SETTINGS AND

SETTINGS OF ITS FUNCTIONS, AND TASKS ..................................................... 339
A.1. Anti-Virus settings......................................................................................... 339
A.1.1. Maximum number of processes ............................................................. 340
A.1.2. Number of processed used in real-time protection ................................. 341
A.1.3. Number of process for background on-demand scan tasks ................... 342
A.1.4. Task recovery ........................................................................................ 343
A.1.5. Reports storage period .......................................................................... 344
A.1.6. Storage period for events in the system audit log ................................... 344
A.1.7. Actions if uninterruptible power supply is used ....................................... 345
A.1.8. Event generation thresholds .................................................................. 346

A.1.9. Tracking log settings .............................................................................. 346
A.1.10. Creating Anti-Virus processes memory dump files ............................... 351
A.2. Task schedule settings ................................................................................. 353
A.2.1. Launch frequency .................................................................................. 353
A.2.2. Date when the schedule will be applied and time of the first task launch 355
A.2.3. Schedule disabling date......................................................................... 356
A.2.4. Maximum duration of the task execution ................................................ 356
A.2.5. Time period (within 24 hours) during which a task will be paused .......... 357
A.2.6. Launching skipped tasks........................................................................ 357
A.2.7. Launch time distribution within a time interval, min ................................. 358
A.3. Security settings in the Real-time file protection task and on-demand scan
tasks. ........................................................................................................... 359
A.3.1. Protection mode..................................................................................... 359
A.3.2. Detectable objects ................................................................................. 360
A.3.3. Scanning new and modified objects only ............................................... 362
A.3.4. Scanning composite objects .................................................................. 363
A.3.5. Action to be performed with infected objects .......................................... 364
A.3.6. Actions to be performed with suspicious objects .................................... 366
A.3.7. Actions depending on threat type........................................................... 368
A.3.8. Excluding objects ................................................................................... 369
A.3.9. Excluding threats ................................................................................... 370
A.3.10. Maximum object scan time .................................................................. 372
A.3.11. Maximum size of a detectable composite object .................................. 372
A.3.12. Use of iChecker technology ................................................................. 373
A.3.13. Use of iSwift technology....................................................................... 374
A.4. Automatic blocking settings for computer access to the server ..................... 375
A.4.1. Enabling / disabling of automatic blocking access from computers ........ 375
A.4.2. Actions to be performed with infected objects ........................................ 376
A.4.3. The trusted computers list ...................................................................... 377
A.4.4. Preventing virus outbreaks..................................................................... 378
A.5. Updating task settings .................................................................................. 380
A.5.1. Update source ....................................................................................... 381
A.5.2. FTP server mode for connection to the protected server........................ 382
A.5.3. Update source connection timeout......................................................... 383
A.5.4. Using and configuring a proxy server ..................................................... 383
Contents 11
A.5.5. Regional settings for optimization of updates downloading (Location of

the protected server) .............................................................................. 387
A.5.6. The Application Module Updates task settings....................................... 388
A.5.7. Updates distribution task settings........................................................... 389
A.6. Quarantine settings ...................................................................................... 391
A.6.1. Quarantine folder ................................................................................... 391
A.6.2. Maximum quarantine size ...................................................................... 392
A.6.3. Free quarantine space threshold ........................................................... 393
A.6.4. Folder for restoration.............................................................................. 394
A.7. Backup storage settings ............................................................................... 394
A.7.1. Backup storage folder ............................................................................ 395
A.7.2. Maximum backup storage size .............................................................. 396
A.7.3. Minimum backup storage free space threshold ...................................... 396
A.7.4. Folder for restoration.............................................................................. 397
APPENDIX B. KASPERSKY LAB........................................................................... 399

B.1. Other Kaspersky Lab Products..................................................................... 400
B.2. Contact Us ................................................................................................... 411
APPENDIX C. INDEX ............................................................................................. 412
APPENDIX D. LICENSE AGREEMENT................................................................. 416

CHAPTER 1. INTRODUCTION
This guide contains description of how to use Kaspersky Anti-Virus 6.0 for
Windows Servers Enterprise Edition (hereinafter - Anti-Virus).
Section 1.1 on pg. 12 contains general information about the Anti-Virus as well
as the description of its protection functions and of detectable threats.
Part 1 of the user guide, Configuration and Control via MMC, contains a discus-
sion of Anti-Virus control via console installed on a protected server or on a re-
mote workstation.
For instructions on how to control the Anti-Virus from the command line of the
protected server refer to the Part 2, Control of the Anti-Virus from the command
line.
Part 3, Configuration and control using Kaspersky Administration Kit, discusses
protected of servers with the Anti-Virus installed using the Kaspersky Administra-
tion Kit application.
Part 4, Anti-Virus counters, contains the description of the Anti-Virus counters for
the "System Monitor" application as well as SNMP counters and traps.
If you have not found an answer to your question about Anti-Virus in this docu-
ment, please feel free to refer to other resources containing information about
this product (see section 1.2 on pg. 18).
1.1. General Anti-Virus information

Anti-Virus protects servers running Microsoft Windows against threats penetrat-
ing computers through file exchange. It is designed to be used in local area net-
works of medium to large organizations. Anti-Virus users are computer network
administrators and specialists responsible for the Anti-Virus protection of net-
works.
You can install the Anti-Virus on servers which perform various functions as de-
tailed below: on terminal servers and printing servers, on application servers and
domain controllers as well as on file servers as such servers are more suscepti-
ble to virus infections that others due to file exchange with the user workstations.
You can control the protection of the server on which the Anti-Virus is installed
using various tools: Anti-Virus console in MMC, command line commands, or you
can use Kaspersky Administration Kit application for centralized control of protec-
tion of multiple servers each with Anti-Virus installed. You can view the Anti-Virus
Introduction 13
performance counters for the "System Monitor" application as well as SNMP

counters and traps.
This chapter contains the following information:
 about Anti-Virus functions Real-time protection and On-demand scan
(see section 1.1.1 on pg. 13);
 about threats which can be detected and disinfected by Anti-Virus (see
section 1.1.2 on pg. 14);
 how Anti-Virus detects infected, suspicious and potentially dangerous
(riskware) objects (see section 1.1.3 on pg. 17).
1.1.1. Real-time protection and on-demand

scan
You can use two Anti-Virus functions to ensure server protection: Real-time pro-
tection and On-demand scan. You can enable or disable these functions manual-
ly or using a schedule.
Real-time protection automatically starts with the Anti-Virus startup by default
and continues running in the background mode.
The Anti-Virus scans the following objects of the protected server when they are
accessed:
 Files;
 Alternate file system streams (NTFS-streams);
 Master boot record and boot sectors of the local hard drives and Re-
movable media.
When an application writes a file to a server or reads a file from it, Anti-Virus will
intercept this file, scan it for the presence of threats and perform actions you
specified if it has detected a threat: attempts to disinfect the file or simply deletes
it. Anti-Virus returns the file to the application only if it is not infected or if it has
been successfully disinfected.
Anti-Virus scans object not only for viruses but also for other types of threats, for
example, Trojan horses, adware or spyware. For more details about threats that
can be detected and disinfected by the Anti-Virus refer to 1.1.2 on pg. 14.
Additionally, Anti-Virus continuously monitors attempts to execute scripts
VBScript or JScript. created using Microsoft Windows Script (or Active Scripting)
technologies on the protected server. The application checks the code of the
scripts and automatically prohibits execution of scripts it has found malicious.
The task of real-time Anti-Virus server protection is to ensure maximum server

security with the minimum slowdown of the file exchange.
An On-demand scan involves one-time complete or selective scan for the object
threats on the server.
Anti-Virus scans files, server RAM and the startup objects which are rather diffi-
cult to restore once they have been corrupted.
By default Anti-Virus performs a full computer scan once a week. We recom-
mend to launch full computer scan manually after the periods when the real-time
file protection had been disabled.
1.1.2. About threats detectable by Anti-

Virus
Anti-Virus can detect hundreds of thousands malware programs in the file sys-
tem objects. Some of these programs impose a greater threat for the user, others
are only dangerous when certain conditions are met. After the Anti-Virus detects
a malicious program in an object, it will assign it a certain category characterized
by a certain severity level (high, medium or low).
The Anti-Virus distinguishes the following malware categories:
 viruses and worms (Virware)
 Trojan horses (Trojware);
 other malware;
 pornware;
 adware;
 riskware.
Note
You can check the severity level of threats detected in the suspicious objects
detected using the Quarantine node (see Chapter 11 on pg. 155); the severity
level of threats contained in infected objects - using the Backup storage node
(see Chapter 12 on pg. 173).
A brief description of the threats is provided below. For a more detailed descrip-
tion of malware programs and their classification please visit Kaspersky Lab's
Virus Encyclopedia (http://www.viruslist.com/en/viruses/encyclopedia).
Introduction 15
Viruses and worms (Virware)

Severity level: high
This category includes classic viruses and network worms.
Classic virus (class Viruses) infects files of other programs or data. It adds its
own code to such files in order to gain control when these files are opened. After
it has penetrated the system, a classic virus gets activated when triggered by a
certain event and performs its malicious action.
Classic viruses differ depending on their environment and method their use for
infecting other objects.
The term environment refers to areas of a computer, an operating system or an
application, penetrated by the virus code. Based on the environment, file, boot,
macro and script viruses are distinguished.
The term method of infection refers to various methods of implanting the mali-
cious code into the objects being infected. There are numerous types of viruses
using various methods of infection. Overwriting viruses write their own code re-
placing the code of the file they infect and destroying the content of such file. The
infected file stops working and cannot be restored. Parasitic viruses modify files'
code leaving such files fully or partially operating. Companion viruses do not
modify files but create their duplicates. When such infected file is accessed, the
control will be overtaken by its duplicate, which is the virus. There are also link
viruses which infect object modules (OBJ), viruses which infect compiler libraries
(LIB), viruses which infect original text of programs, etc.
After it penetrates the system, the code of a network work (Class Worm) , simi-
larly to the classic virus code, gets activated and performs its malicious action.
The network worm received its name due to its ability to tunnel from one com-
puter to another - to send copies of itself through various information channels.
The method of proliferation is the main attribute that differentiates various types
of network worms. Network worms can be mail worms, internet pager worms,
IRC channels worms, file sharing network worms and other network worms. Oth-
er network worms are those worms which distribute copies of themselves in net-
work resources, penetrate operating systems using vulnerabilities in them and in
the applications running under them, penetrate public network resources and use
other threats.
Many network worms can proliferate extremely fast.
In addition to the damage they inflict to the infected computer, network worms
discredit the owner of such computer, cause additional charges for network traffic
and clutter up internet channels.
Trojan horses (Trojware)
Severity level: high
Trojans (classes Trojan, Backdoor, Rootkit and others) perform on computers

actions not authorized by the user, for example, they steal passwords, access
internet resources, download and install other programs.
Unlike classic viruses, Trojans do not proliferate by themselves penetrating files
and infecting them. Rather, they are transferred by the "master's" command.
However, Trojans may inflict far greater damages compared to a regular virus
attack.
The most dangerous Trojans are Backdoors - remote administration utilities.
When run, these programs install themselves in the system without the user's
knowledge and perform hidden monitoring: they erase data from drives, "freeze"
the system or transfer information to their developer.
Another type of Trojans is Rootkit. Like other Trojans programs Rootkits per-
meate the system without the user's knowledge. Although they do not perform
any malicious actions, they camouflage other malware programs and their activi-
ties and thus extend the existence of such programs in the infected system.
Rootkits may hide files or processes in the memory of an infected computer or
register keys run by malware programs. Rootkits may also conceal hacker's ac-
cessing the system.
Other malware programs (Malware)
Severity level: average
Other malware programs do not impose any threat to the computer on which
they are executed, yet they can be used to organize network attacks on remote
servers, hack other computers, create other viruses or Trojan programs.
There are many types of other malware programs. Network attacks (class DoS
(Denial-of-Service)) send multiple requests to remote servers which cause these
servers to fail. Hoaxes (types BadJoke, Hoax) alarm users with virus-like mes-
sages: they can "detect" a virus in a clean file or display a message about disk
formatting which will not take place. Encrypting programs (classes FileCryptor,
PolyCryptor) encrypt other malware programs to prevent them from being de-
tected during an Anti-Virus scan. Constructors (class Constructor) allow generat-
ing original texts of viruses, object modules or infected files. Spam utilities (class
SpamTool) collect e-mail addresses on the infected computer or turn such com-
puter into a spam sending machine.
Pornware (Pornware)
Severity level: medium
Pornware programs are included into a "not-a-virus" programs class. They have
functions which may inflict damage to the user only if special conditions are met.
Such programs are associated to the display of porn information to the user. De-
pending on the behavior of the programs, three types are distinguished: automat-
ic dialers (Porn-Dialer), downloaders (Porn-Downloader) and tools (Porn-Tool).
Introduction 17
Porn dialers connect to pay-per-virus pornographic internet resources using a

modem, porn downloaders download pornography to the user's computer. Porn
tools are programs related to the search and display of pornographic materials
(for example, specials instrument panels for browsers and special video players).
Adware (Adware)
Severity level: medium
Adware programs are included into a "not-a-virus" class. They are built-in into
other programs without the user's knowledge to display advertising messages in
their interface. In many cases adware programs, in addition to displaying adver-
tising messages, gather users' personal information and send it to their develop-
er, change browser's settings (browser home page, search page, security levels,
etc.) and create traffic that is not controlled by the user. In addition to violation of
the security rules, activities of adware programs may cause direct financial dam-
ages.
Riskware
Severity level: low
Riskware programs are included into a "not-a-virus" programs class. Such pro-
grams may be legally purchased and used in the daily operations of users, for
example, system administrators.
Some remote administration programs, such as RemoteAdmin, are considered
riskware. It is the user who installs and runs these programs on his or her com-
puter. This differentiates them from the Backdoor programs which install them-
selves into the system and start monitoring the system without the user's know-
ledge.
Risk programs also include some automatic keyboard layout change programs,
IRC clients, FTP servers, utilities for killing and hiding processes.
1.1.3. About infected and suspicious

objects and objects that may
potentially contain malicious code
Server on which Anti-Virus is installed stores a set of Anti-Virus bases (hereinaf-
ter - bases, database). Bases are files containing records that are used to identi-
fy the presence of malicious code with hundreds of thousands known potential
threats in the detectable objects. Records contain information about the control
sections of the threats' code and algorithms used for disinfecting objects in which
these threats are contained.
If Anti-Virus detects (in a detectable object) sections of code that fully coincide
with the control code sections of a threat based on the information provided in
the bases, it will find such object infected, and, if it coincides only partially (in
accordance with some conditions) – suspicious.
Additionally, Anti-Virus detects objects, which may potentially contain malicious
code. For this purpose, it uses a heuristic code analyzer. It would not be true to
say that the code of such object fully or partially coincides with the code of a
known threat, but it does contain some command sequences characteristic of
malicious objects, such as opening a file or writing to a file or interception of in-
terrupt vectors. Heuristic analyzer determines for example that a file seems to be
infected with an unknown boot virus.
If Anti-Virus finds a detectable object infected or suspicious, it will return the
name of the threat contained in such object; if Anti-Virus finds that an object may
potentially contains malicious code, it will not return the name of the threat con-
tained in this object.
Note:
Term "objects potentially containing malicious code" is not used in the security
setting configuration dialog box or in the Security Settings dialog window and
the Task Statistics dialog window: Anti-Virus calls "suspicious" those objects
that may potentially contain malicious code and suspicious objects (in which
code sections that coincide with the code of known threats have been de-
tected).
In other dialog boxes of the Anti-Virus console terms "suspicious objects" and
"objects that may potentially contain malicious code" are named differently.
Term "suspicious objects" only refers to suspicious objects.
1.2. Obtaining information about

Anti-Virus
If you have any questions regarding purchasing, installing or using Anti-Virus,
you can easily receive answers to them.
Kaspersky Lab has many sources of information and you can select the source
most convenient to you depending on how urgent and important your question is.
You can:
 find the answer to your question on your own (see section 1.2.1 on pg.
19);
 receive an answer from the Sales Department personnel (see section
1.2.2 on pg. 20);
Introduction 19
 receive a response from a Technical Support specialist if you already

have purchased Anti-Virus (see section 1.2.3 on pg. 21);
 discuss your question not only with Kaspersky Lab's specialist but also
with other users in the web form section dedicated to Anti-Virus (see
section 1.2.4 on pg. 22).
1.2.1. Sources of information to research

on your own
You can refer to the following information sources about the application:
 the Anti-Virus page at the Kaspersky Lab's website;
 application page at the Support Service (Knowledge Base) website;
 help system;
 documentation.
The Anti-Virus page at the Kaspersky Lab's website
http://www.kaspersky.com/kaspersky_Anti-
Virus_windows_server_enterprise
This page contains general information about the application, its functionality
and peculiarities. You can purchase the application or extend the period of
its usage in our online store.
Application page at the Support Service (Knowledge Base) website
http://support.kaspersky.com/win_serv_ee_6mp2
This page contains articles published by the Technical Support service spe-
cialists.
These articles contain useful information, recommendations and answers to
frequently asked questions related to the purchase, installation and use of
the application. These answers are grouped by topics, such as, for example,
"Working with key files", "Configuring base updates" or "Troubleshooting".
The articles may answer questions which are related not only to this particu-
lar application, but also to other Kaspersky Lab's products; they also may
contain general Technical Support service news.
Help system
The application's distribution kit includes a complete help file.
Complete help file contains information on managing the computer protec-
tion using Anti-Virus console in MMC: view the protection status, scan vari-
ous areas of the computer and perform other tasks. It also contains informa-
tion about managing the application from the command line, use Anti-Virus
efficiency counters as well as SNMP counters and traps.
In order to open the complete help file, select the Display help command
from the Help menu in the Anti-Virus console.
If you have any questions regarding an individual application window, you
can refer to the context help.
In order to open the context help, press the Help button or <F1> key in the
window you need help on.
Documentation
The set of documents supplied with the application contains most of the in-
formation required for its operation. The set contains the following docu-
ments:
 Typical usage schemes. This document discusses the use of Anti-
Virus in the enterprise network.
 Comparison with Kaspersky Anti-Virus 6.0 for Windows Serv-
ers. This document lists the characteristics of the Anti-Virus which
differentiates it from Kaspersky Anti-Virus 6.0 for Windows Servers.
 Installation Guide contains Anti-Virus installation requirements to
the computer, Anti-Virus installation and activation instructions as
well as instructions on verifying its operability and initial setup.
 Administration Guide (this document) discusses how to work with
the Anti-Virus console in MMC, manage Anti-Virus from the Kas-
persky Administration Kit application and from the command line,
use Anti-Virus efficiency counters as well as counters and traps for
the SNMP protocol.
Files with these documents in PDF format are included into the Anti-Virus
distribution kit.
Alternatively you can download files with these documents from the Anti-
Virus page of the Kaspersky Lab's website.
After you have installed the Anti-Virus console you can open the Administra-
tor's Guide from the Start menu.
1.2.2. Contacting the Sales Department

If you have questions regarding selecting or purchasing Anti-Virus or extending
the period of its use, you can phone Sales Department specialists in our Central
Office in Moscow at:
Introduction 21
+7 (495) 797-87-00, +7 (495) 645-79-39, +7 (495) 956-70-00.

The service is provided in Russian or English.
You can also send your questions to the Sales Department specialists by e-mail
at sales@kaspersky.com.
In the Sales Department you can obtain an advice on managing the enterprise
network protection, application network deployment or joint use of the application
with other programs.
1.2.3. Contacting the Technical Support

service
If you already purchased the application you can obtain information about it from
the Technical Support service by phone or via internet.
The Technical Support service specialists will answer your questions regarding
the installation and the use of the application and will help you eliminate the con-
sequences of the activities of malware and you computer had already been in-
fected.
Technical support by phone
If you have a problem requiring urgent help, you can call the Technical Sup-
port service located in our Moscow office at:
+7 (495) 797-87-07, +7 (495) 645-79-29 or +7 (495) 956-87-08.
We provide technical support to Kaspersky Lab's users around the clock in
Russian and English.
If you wish to talk to an expert specializing exclusively in Kaspersky Anti-
Virus 6.0 for Windows Servers Enterprise Edition, call during business
hours, from 10:00 am until 6:30 pm Moscow time (GMT +3).
Provide to the Technical Support service specialist the application's activa-
tion code or the key serial number (you can view it in the Keys node of the
Anti-Virus console in the properties of the key installed).
An e-mail request to the Technical Support service (for registered users
only)
You can ask your question to the Technical Support Service specialists by
filling out a Helpdesk web form at
http://support.kaspersky.com/helpdesk.html.
You can send your question in Russian, English, German, French or Span-
ish.
In order to send an e-mail message with your question, you must indicate
the client number obtained during the registration at the Technical Support
service website along with your password.
Note
If you are not yet a registered user of Kaspersky Lab's applications you can
fill out a registration form on page:
https://support.kaspersky.com/en/PersonalCabinet/Registration/Form/.
During the registration you must provide the application's activation code or
the key serial number (you can view it in the Keys node of the Anti-Virus
console in the properties of the key installed).
You will receive a Technical Support service specialist's response to your e-

mail at the e-mail address you have specified in your question and in your
Personal Cabinet
https://support.kaspersky.com/en/PersonalCabinet.
Describe the problem you have encountered in the request web form with as
much detail as possible. Specify the following in the mandatory fields:
 Request type. Questions most frequently asked by users are
grouped into special topics, for example "Product installa-
tion/removal problem" or "Virus scan/removal problem". If you have
not found an appropriate topic, select "General Question".
 Product name: Kaspersky Anti-Virus 6.0 for Windows Servers En-
terprise Edition.
 Request text: Describe the problem you have encountered with as
much detail as possible.
 Client number and password. Enter the client number and the
password which you have received during the registration at Tech-
nical Support service website.
 E-mail address. The Technical Support service specialists will use
this e-mail address to send their answer to your question.
1.2.4. Discussing Kaspersky Lab's

applications at the web forum
If your question does not require an urgent answer, you can discuss it with Kas-
persky Lab's specialists and other users of Kaspersky Lab's Anti-Virus applica-
tions in our forum located at http://forum.kaspersky.com/.
Introduction 23
In this forum you can view topics published earlier, leave your comments, create
new topics and use the search engine.
For example, you can discuss various scenarios of Anti-Virus deployment in your
organization and its configuration options.
PART 1. CONFIGURATION
AND CONTROL VIA MMC
This part contains the following information:
 Starting the Anti-Virus console in ММС, granting access to Anti-Virus
functions, description of the console window appearance (see Chapter
2 on pg. 25);
 Configuring general Anti-Virus settings (see Chapter 3 on pg. 40);
 Importing and exporting Anti-Virus settings and its individual functional
components (see Chapter 4 on pg. 44);
 A concept of task in the Anti-Virus, types of tasks, operations performed
with tasks, configuring a task schedule, viewing task statistics, launch-
ing a task under a different account (see Chapter 5 on pg. 48);
 Configuring a real-time task settings (see Chapter 6 on pg. 62);
 Blocking access from computers to the server during Real-time file
protection tasks (see Chapter 7 on pg. 87);
 Trusted zone (see Chapter 8 on pg. 99);
 Updating the Anti-Virus bases and application modules (see Chapter 10
on pg. 136);
 Using quarantine for isolation of suspicious objects (see Chapter 11 on
pg. 155);
 Backing up files before disinfection or deletion and using Backup (see
Chapter 12 on pg. 173);
 Registration of events and Anti-Virus statistics (see Chapter 13 on pg.
185);
 Installing and deleting license keys (see Chapter 14 on pg. 209);
 Configuring notifications (see Chapter 15 on pg. 214).
CHAPTER 2. WORKING WITH
ANTI-VIRUS CONSOLE IN
MMC AND ACCESS TO ANTI-
VIRUS FUNCTIONS

 about the Anti-Virus console in MMC (see 2.1 on pg. 25);
 advanced configuration after the installation of the Anti-Virus Console in
MMC onto another computer (see 2.2 on pg. 26);
 starting the Anti-Virus console from the Start menu (see 2.3 on pg. 31);
 functions of the Anti-Virus icon in the notification area of the protected
server's task tray (see 2.4 on pg. 32);
 appearance of the Anti-Virus console window (see 2.5 on pg. 34);
 distribution of access permissions to Anti-Virus functions (see 2.6 on pg.
34);
 starting and stopping the Anti-Virus service (2.7 on pg. 38).
2.1. About the Anti-Virus console in

MMC
The Anti-Virus console is an isolated snap-in added to the MMC console (Micro-
soft Management Console).
After the installation of the Anti-Virus console the installer saves the .msc file (file
name) to the Anti-Virus folder and adds the Anti-Virus snap-in to the list of iso-
lated Microsoft Windows snap-ins.
You can open the Anti-Virus console on the protected server by starting it from
the Start menu or from the shortcut menu of the Anti-Virus icon in the task
tray by starting the msc-file with the snap-in or adding the Anti-Virus snap-in to
the existing MMC console as a new element in the tree.
You can launch msc-file of Anti-Virus snap-in or add Anti-Virus snap-in to the
existing MMC console as a new element in the tree. In Microsoft Windows 64-
byte version you can add Anti-Virus snap-in only in MMC 32-byte version
(MMC32): open MMC using the shell with command: mmc.exe /32.
You can manage the Anti-Virus via the MMC installed on the protected server or
on any other computer within the network. After you have installed the Anti-Virus
console onto another computer you must perform advanced configuration as
described in section 2.2 on pg. 26.
You can add several Anti-Virus snap-ins to a single console opened in the autho-
rizing mode in order to use it for managing protection of multiple servers on
which Anti-Virus is installed.
2.2. Advanced configuration after

installation of the Anti-Virus
Console in MMC on another
computer
If you installed the Anti-Virus Console in MMC onto another computer rather than
on the protected server, you must perform the following actions in order to re-
motely control Anti-Virus on the protected server:
 add Anti-Virus users to the KAVWSEE Administrators group on the
protected server (see section 2.2.1 on pg. 27);
 if the protected server is running Microsoft Windows Server 2008, allow
network connections for the Anti-Virus management service kavfsgt.exe
on this computer (see 2.2.2 on pg. 28);
 if remote computer is running Microsoft Windows XP SP1, disable on it
Windows Firewall to allow network connections for the Anti-Virus Con-
sole installed on it (see section 2.2.3 on pg. 29).
 for the Anti-Virus Console on a computer running Microsoft Windows
XP SP2 or Microsoft Windows Vista: if during Console installation you
have not enabled the checkbox to Allow network connections for
Kaspersky Anti-Virus Console, then allow manually network connec-
tions for the console in the firewall on that computer (see section 2.2.4
on pg. 29).
Working with Anti-Virus Console in MMC and Access to Anti-Virus Functions 27
2.2.1. Adding Anti-Virus users to the

KAVWSEE Administrators group on
the protected server
In order to manage Anti-Virus via the Anti-Virus console in MMC installed on
another computer the Anti-Virus users must have full access to the Anti-Virus
management service (Kaspersky Anti-Virus Management) on the protected serv-
er. By default only users included into the group of local administrators on the
protected server have access to this service.
Note
To learn which services Anti-Virus registers refer to document Kaspersky Anti-
Virus 6.0 for Windows Servers Enterprise Edition. Installation Guide.
You can grant the right to access the Anti-Virus management service to the ac-
counts of the following types:
 accounts registered locally on the computer on which Anti-Virus con-
sole in installed. In order to establish a connection, an account with the
same data shall be locally registered on the protected server;
 account registered in the domain in which the computer with the Anti-
Virus console installed is registered. In order to establish a connection
the protected server must be registered within the same domain or with-
in a domain that is in trust relationship with this domain.
During the installation Anti-Virus registers KAVWSEE Administrators group on
the protected server. Users of this group are granted access to the Anti-Virus
management service. You can grant or disallow users access to the Anti-Virus
management service by adding them to the KAVWSEE Administrators group or
removing them from this group.
In order to allow or disallow access to the Anti-Virus management service:
1. On the protected server select Start → Settings → Control Panel. Se-
lect Administrative Tools → Computer Management in the Control
panel window.
2. In the Computer Management console expand the Local users and
groups node and then expand the Groups node.
3. Double click the KAVWSEE Administrators group and perform the fol-
lowing actions in the Properties window:
 in order to allow the user to remotely manage Anti-Virus using the
console, add this user to the KAVWSEE Administrators group;
 in order to disallow the user to remotely manage Anti-Virus using

the console, remove this user from the KAVWSEE Administrators
group.
4. Press OK in the Properties dialog box.
2.2.2. Allowing network connections for

Anti-Virus management service on
the server running Microsoft
Windows Server 2008
In order to establish connections between console and Anti-Virus management
service it is necessary to allow network connections through the Firewall for Kas-
persky Anti-Virus management service on the protected server.
To allow network connections for Kaspersky Anti-Virus management service:
1. On the protected server running Microsoft Windows Server 2008 select
Start  Control Panel  Security  Windows Firewall.
2. In the Windows Firewall settings dialog window click Change
settings.
3. In the list of predefined exceptions on the Exceptions tab check the
flags: COM + Network access, Windows Management
Instrumentation (WMI) and Remote Administration.
4. Press the Add Program button.
5. Specify kavfsgt.exe file in the Add a Program dialog window. It is
located in the folder that you have specified as a destination folder
during Anti-Virus console in MMC installation. By default the full path to
the file is as follows:
 in Microsoft Windows 32-byte version: %ProgramFiles%\Kaspersky
Lab\Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise
Edition\kavfsgt.exe;
 in Microsoft Windows 64-byte version:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 For
Windows Servers Enterprise Edition\kavfsgt.exe.
6. Press the ОК button.
7. Press the ОК button in the Windows Firewall settings dialog window.
2.2.3. Enabling network connections for the

Anti-Virus ММС Console in Microsoft
Windows XP SP1
If the computer with the installed Anti-Virus Console runs Microsoft Windows XP
SP1, you will have to disable Windows firewall on that host to allow network con-
nections for the console:
1. On the computer with the installed Anti-Virus Console in ММС select
Start  Control Panel  Network Connections.
2. Open the context menu of a network connection (e.g., Local Area
Connection) and select its Properties.
3. Use the <Network connection name>: Properties dialog to disable on
the Advanced tab the Protect my Internet connection checkbox.
2.2.4. Enabling network connections for the

Anti-Virus ММС Console in Microsoft
Windows XP SP2 or Microsoft
Windows Vista
The Anti-Virus console in MMC on the remote computer uses the DCOM protocol
in order to receive information about Anti-Virus events (objects scanned, tasks
completed, etc.) from the Anti-Virus management service on the protected serv-
er.
If the computer with the installed console runs Microsoft Windows XP SP 2 or
Microsoft Windows Vista, you will have to allow network connection via the fire-
wall on this computer in order to open connections between the console and the
Anti-Virus management service.
Perform the following steps:
 make sure that anonymous remote access to COM applications is al-
lowed (but not remote launch and activation of COM applications) and
 in the Windows firewall open TCP port 135 and allow network connec-
tions for the executable file kavfsrcn.exe of Anti-Virus remote manage-
ment process.
The client computer on which the Anti-Virus console in MMC is installed
uses port TCP 135 in order to access the protected server and to re-
ceive the server response.
In order to grant anonymous access to COM applications:
1. On the computer with the Anti-Virus MMC console installed open the
Component Services console. To do that select Start  Run, type
dcomcnfg and press the OK button.
2. Expand the Computers node in the Component Services console of
the computer, open the shortcut menu of the My Computer node and
select the Properties command.
3. In the COM Security of the Properties dialog box, press the Edit Lim-
its button in the Access Permissions group of settings.
4. Make sure that the Allow remote access box is checked for the
ANONYMOUS LOGON user in the Access Permission dialog box.
5. Press the OK button.
In order to open TCP port 135 in the Windows firewall and allow network connec-
tions for the executable file of Anti-Virus remote management process:
1. Close Anti-Virus MMC console on the remote computer.
2. Perform one of the following actions:
 in Microsoft Windows XP SP2 or higher select Start Control
Panel  Windows Firewall.
 in Microsoft Windows Vista select Start  Control Panel 
Windows Firewall and click Change settings in Windows
Firewall dialog window.
3. In Windows Firewall dialog window (or Windows Firewall settings)
press the Add port button on the Exceptions tab.
4. In the Name field specify the part name RPC (TCP/135) or enter anoth-
er name, for example Anti-Virus DCOM and specify port number (135)
in the Port name field.
5. Select TCP protocol.
7. Press the Add program button on the Exceptions tab.
8. Specify file kavfsrcn.exe in the Add a program dialog box. It is stored in

the folder that you specified as the destination folder during the
installation of the Anti-Virus console in MMC. By default the full path to
the file is as follows:
 in Microsoft Windows 32-byte version: %ProgramFiles%\Kaspersky
Lab\Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise
Edition Admins Tools\kavfsrcn.exe;
 in Microsoft Windows 64-byte version:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for
Windows Servers Enterprise Edition Admins Tools\kavfsrcn.exe.
10. Press OK in the Windows Firewall (Windows Firewall settings) di-
alog box.
Note
In order to apply the new connection settings: if the Anti-Virus console
was opened while you were configuring the connection between the
protected server and the computer with the console installed, close the
console, wait for 30-60 seconds (until the Anti-Virus remote manage-
ment process kavfsrcn.exe is completed) and then run it again.
2.3. Starting the Anti-Virus console

from the Start menu
Make sure that Anti-Virus console is installed on the computer.
In order to start the Anti-Virus console from the Start menu:
1. select Start  Programs  Kaspersky Anti-Virus 6.0 for Windows
Servers Enterprise Edition  Administration Tools  Kaspersky
Anti-Virus ММС Console .
Note
If you plan to add other snap-ins to the Anti-Virus console, open the
console in the authoring mode, select Start  Programs  Kas-
persky Anti-Virus 6.0 for Windows Servers Enterprise Edition 
Administration Tools, open the shortcut menu on the Kaspersky An-
ti-Virus console and select Author.
If you started the Anti-Virus console on the protected server, the con-
sole window (see Figure 1) will open.
Figure 1. The Anti-Virus console window
2. If you started the Anti-Virus console on a remote computer rather than

on the protected server, connect to the protected server: open the
shortcut menu on the Anti-Virus snap-in name, select command Con-
nect to another computer, then select Another computer in the Se-
lect computer dialog box and specify the network name of the pro-
tected server in the entry field.
If the account that you used to log on to Microsoft Windows does not
have the access right to the Anti-Virus Management Service at the
server, specify a different account that has such rights. For details on
which accounts you can grant access to the Anti-Virus Management
Service refer to section 2.2.1 on pg. 27.
2.4. Anti-Virus icon in the

notification area of the task
tray
Each time Anti-Virus is automatically starts after the server restart, the Anti-
Virus icon will be displayed in the notification area of the task tray. It is displayed
by default if during Anti-Virus installation you included Task tray application

component into the set of the installed components.
The Anti-Virus icon may have one of the two statuses:
Active (color) if any real-time protection task (Real-time file protection

or Script Monitoring) is currently in progress (for details about real-
time task protection refer to section 6.1 on pg. 62)
Inactive (black and white) - if the Real-time file protection task or the
Script Monitoring is not being performed at the moment.
To open the shortcut menu shown on Figure 2, right-click the Anti-Virus icon.
Figure 2. Shortcut menu of the Anti-Virus menu
The shortcut menu includes the following commands:
Command Description
Open Kaspersky If Anti-Virus console is installed at the computer, you can

Anti-Virus Console open it.
About the program Opens the About the program window with information
about the Anti-Virus.
If you are registered as Anti-Virus user, then the About
the program window would contain information about
urgent updates installed.
Hide Hides the Anti-Virus icon in the notification area of the

task panel.
In order to display the Anti-Virus icon, select Programs
 Kaspersky Anti-Virus 6.0 for Windows Servers
Enterprise Edition  Tray Application .
You can enable or disable the display of the Anti-Virus icon after Anti-Virus au-
tomatically starts following the server restart (see section 3.2 on pg. 40).
2.5. Anti-Virus console window

Anti-Virus console window (see Figure 3) includes the console tree and the result
panel. The console tree displays the Anti-Virus functional components and the
result panel - information about the node selected.
Figure 3. Anti-Virus console
If run from the Start menu, the Anti-Virus console will contain the taskpad (from
an .msc file saved when Anti-Virus is installed). If you added the Anti-Virus utility
to the MMC console yourself, the console will not contain the taskpad.
2.6. Distribution of access

permissions to Anti-Virus
functions
This section contains the following information:
 On access permissions to Anti-Virus features (see 2.6.1 on pg. 35);
 Granting access permissions to Anti-Virus features (see 2.6.2 on pg.
36).
2.6.1. About access permissions to Anti-

Virus functions
By default access to all Anti-Virus functions is granted to the users of the Admin-
istrators group and users of group KAVWSEE Administrators created on the
protected server during Anti-Virus installation.
Users who have access to Anti-Virus function Managing permissions can grant
access to Anti-Virus functions to other users registered on the protected server
or included into the domain.
If a user is not registered in the Anti-Virus users' list, he cannot view the Anti-
Virus console.
You can grant an Anti-Virus user (or a group of users) access permissions to:
 All Anti-Virus functions (full control);
 To All Anti-Virus functions except the user permissions management
function (modification);
 only for viewing functional Anti-Virus components, general Anti-Virus
settings, settings of its functions and tasks, statistics and user rights
(reading).
You also can perform advanced configuration of the access permissions: allow or
disallow access to individual Anti-Virus functions. Functions, access to which can
be modified, are listed in the Table 1.
Table 1 Distribution of access permissions to Anti-Virus functions
Function Description
Read statistics Viewing the status of the functional Anti-Virus com-

ponents and statistics of the tasks in progress
Task status management Anti-Virus task starting/stopping/pausing/resuming
Task management Creating and deleting on-demand scan tasks
Read settings  Viewing general Anti-Virus and task settings;

 Viewing report, notification and System audit log
settings;
 Exporting Anti-Virus settings
Function Description
Modify settings  Viewing and changing general Anti-Virus and task

settings;
 Importing and exporting Anti-Virus settings;
 Viewing and changing task settings;
 Viewing and changing the report, notification and
System audit log settings
Quarantine and Backup  Placing objects into quarantine;

management
 Removing objects from the quarantine and remov-
ing files from Backup
 restoration of objects from Backup and quarantine
View reports Viewing summary and detail reports about task ex-
ecution in the Reports nodes and events in the Sys-
tem audit log node
Manage reports Deleting reports and purging the system audit log
Key management Installing and removing keys
Read permissions Viewing the list of the Anti-Virus users
Manage permissions  Adding and deleting Anti-Virus users;

 Modifying user access permissions to Anti-Virus
functions
2.6.2. Configuring access rights to the Anti-

Virus functions
In order to add or delete a user (a group) or to change the access permissions of
a user (a group):
1. Right-click the Anti-Virus utility in the console tree and select Modify
user permissions.
The Permissions dialog box (see Figure 4) will open:
Figure 4. The Permissions dialog box
2. Perform the following in the Permissions dialog box.

 in order to add a user (a group) to the list of Anti-Virus users, press
the Add button and select users or groups you wish to add;
 to grant to the added user (group) access permissions to Anti-Virus
functions, select the user (group) under heading Group or user
names and check the Allow box for further actions
o Full control– to grant access to all Anti-Virus functions;
o Read – to grant access to functions Statistics reading, Set-
tings reading, Report reading and Right reading;
o Modification – to grant access to all Anti-Virus functions ex-
cept function Right modification.
 In order to perform advanced permission configuration (Special
permissions ), press the Advanced button, then select the re-
quired user or group and press the Modify button in the Advanced
security settings, and then in the Permission entries dialog box
(see Figure 5) check the Allow or the Deny box next to the func-
tions access to which you wish to allow or prohibit. (The list of func-
tions and their brief description is provided in Table 1). Then press
the OK button.
Figure 5. The Permission Entry dialog box
3. Press the OK button in the Permissions dialog box.
2.7. Starting and stopping

By default the Anti-Virus service starts automatically during the operating system
startup. The Anti-Virus service controls the processes in which real-time protec-
tion, on-demand scan and updating tasks are being executed.
By default when the Anti-Virus services is started, tasks Real-time file protec-
tion, Script Monitoring and Scan at system startup and Application integrity
control as well as other tasks that are scheduled to start At application startup
will be started.
If you stop the Anti-Virus service, execution of all tasks will be interrupted. After
you restart the Anti-Virus service, interrupted tasks will not be resumed automati-
cally. Only those tasks scheduled to start At application startup will be res-
tarted.
Note
You can start and stop the Anti-Virus service only if you are a member of the
group of local administrators on the protected server.
In order to start or stop an Anti-Virus service, open the shortcut menu of the Anti-
Virus snap-in in the console tree and select one of the following commands:
 Stop, to stop the Anti-Virus service;
 Start, to start the Anti-Virus service.
You also can start and stop the Anti-Virus service using the Microsoft Windows
Services snap-in.
CHAPTER 3. GENERAL ANTI-
VIRUS SETTINGS

 about general Anti-Virus settings (see 3.1 on pg. 40);
 configuring general Anti-Virus settings (see 3.2 on pg. 40).
Discussion of general Anti-Virus settings is provided in A.1 on pg. 339.
3.1. About general Anti-Virus

settings
General Anti-Virus settings establish the general conditions of the Anti-Virus op-
eration. They allow controlling of the number of working processes used by the
Anti-Virus, enable Anti-Virus task recovery after an abnormal termination, main-
tain the tracking log, enable creating the memory dump file of the Anti-Virus
processes in case of an abnormal termination, turn on or off the display of the
Anti-Virus icon after Anti-Virus automatically starts following the server restart,
etc.
3.2. Configuring general Anti-Virus

settings
This section contains a description of configuring Kaspersky Anti-Virus general
settings. For description of the general settings refer to section A.1 on pg. 339.
In order to configure Kaspersky Anti-Virus general settings:
1. Open the shortcut menu of the Anti-Virus snap-in in the console tree
and select Properties.
2. Using the following tabs modify the values of the general Anti-Virus set-
tings as per your requirements:
 On the General tab (see Figure 6):
o Specify the maximum number of working processes that Anti-
Virus can start (see A.1.1 on pg. 340);
General Anti-Virus settings 41
o Specify the fixed number of processes to run real-time protec-

tion tasks (see A.1.2 on pg. 341);
o Specify the number of working processes to run background
scan tasks (see A.1.3 on pg. 342);
o Specify the number of task recovery attempts after their ab-
normal termination (see A.1.4 on pg. 343).
Figure 6. The Properties dialog box, General tab
 On the, Additional tab (see Figure 7):

o Indicate whether you wish the Anti-Virus icon to be displayed in
the notification area of the server's task tray each time Anti-
Virus starts after the server restart (for more details about Anti-
Virus icon refer to section 2.4 on pg. 32);
o Specify how many days summary and detailed reports about
the execution of tasks displayed in the Store reports node will
be stored, (see A.1.5 on pg. 344);
o Specify how many days information in the Storage of system

audit log node will be stored (see A.1.6 on pg. 344);
o Specify the actions of Anti-Virus when running on an uninter-
ruptible power supply see A.1.7 on pg. 345);
o Specify the maximum number of days after which events Da-
tabase is obsolete, Database is outdated, Full computer scan
has not been performed for a long time will be created (see
A.1.8 on pg. 346);
Figure 7. The Properties dialog box, Additional tab
 On the, Malfunction diagnosis tab (see Figure 8):

o Enable or disable creation of the tracking log; if required confi-
gure the log settings (see A.1.9 on pg. 346);
o Enable or disable creation of the Anti-Virus process memory
dump files (see A.1.10 on pg. 351).
General Anti-Virus settings 43
Figure 8. The Properties dialog box, Malfunction diagnosis tab
3. After you have configured the values of the required Anti-Virus settings,
press the OK button.
CHAPTER 4. IMPORTING AND
EXPORTING ANTI-VIRUS
SETTINGS

 about importing and exporting the Anti-Virus settings (see 4.1 on pg.
44);
 exporting settings (see 4.2 on pg. 45);
 importing settings (see 4.3 on pg. 46).
4.1. About importing and exporting

settings
If you wish to set up common values of the Anti-Virus settings on several pro-
tected servers you can configure the Anti-Virus settings on one of the servers,
export them into the configuration file in XML format and then import them from
this file to the Anti-Virus installed on all other servers.
You can save into the configuration file all Anti-Virus settings or settings of indi-
vidual functional components.
When you are exporting all Anti-Virus settings, the Anti-Virus will save into the
file the general settings and the settings of the following functional components:
 Real-time file protection;
 Script monitoring;
 Blocking access from computers;
 On-demand scan;
 Anti-Virus bases and module updates;
 Quarantine;
 Backup storage;
 Reports;
Importing and exporting Anti-Virus settings 45
 User accounts permissions;

 Notifications;
 Trusted zone.
The Anti-Virus does not export settings of group tasks, lists used for blocking
access from computers.
Anti-Virus exports all passwords used in the application, for example data for the
accounts used to launch tasks or connect to the proxy server and saves them in
the configuration file in the encrypted format. Yet they can be imported only by
Anti-Virus installed on the same computer if it was not re-installed or upgraded.
Anti-Virus installed on another computer cannot import them. After the settings
have been imported to another computer you will have to enter the passwords
manually.
If a Kaspersky Administration Kit policy is active at the moment of export, Anti-
Virus exports values that had been active before such policy was applied rather
than the values used by this policy.
Note
Imported task settings are not used in the running tasks; they are applied when
tasks are started. We recommend that you stop tasks in the functional compo-
nents before importing settings into them.
4.2. Exporting settings

In order to export settings into the configuration file:
1. If you modified settings in the Anti-Virus console, press the Save button
before exporting them in order to save their new values.
 in order to export all Anti-Virus settings, open the shortcut menu of
the Anti-Virus snap-in in the console window and select Export
settings;
 In order to export the settings of an individual functional compo-
nent, open the shortcut menu of the node of this functional compo-
nent in the console tree and select Export settings.
This will open the greeting window of the settings export wizard.
3. Follow the wizard's instructions: specify the name for the configuration
file into which you wish to save the settings and the path to it.
Specifying the path you can use system environmental variables; you
can’t use user’s environmental variables.
Note
If a Kaspersky Administration Kit policy is active at the moment of ex-
port, Anti-Virus exports values that had been active before such policy
was applied rather than the values used by this policy.
4. Press the OK button in the Export completed box in order to close the
settings export wizard.
4.3. Importing settings

In order to import settings from the configuration file:
 in order to import all Anti-Virus settings, open the shortcut menu of
the Anti-Virus snap-in in the console window and select Import set-
tings;
 In order to import the settings of an individual functional compo-
nent, open the shortcut menu of the node of this functional compo-
nent in the console tree and select Import settings.
This will open the greeting window of the settings import wizard.
2. Follow the wizard's instructions: specify the configuration file from which
you wish to import the settings.
Note
After you have imported the general settings of the Anti-Virus or its
functional components on the server, you will not be able return the old
values of these settings.
3. Press the OK button in the Import completed box in order to close the
settings import wizard.
4. Press the Update button in the tools panel in the Anti-Virus con-
sole to display the imported settings.
Importing and exporting Anti-Virus settings 47
Note
Anti-Virus does not import passwords (data of the accounts used to
launch tasks or to connect to the proxy server) from the file created on
another computer or on the same computer after Anti-Virus installed on
it has been re-installed or updated. After the importing operation is
completed, you will have to enter the passwords manually.
CHAPTER 5. TASK
MANAGEMENT

 Categories of Anti-Virus tasks by the type of their creation and execu-
tion (see 5.1 on pg. 48);
 Creating tasks (see 5.2 on pg. 50);
 Saving a task after modifying its settings (see 5.3 on pg. 52);
 Renaming tasks (see 5.4 on pg. 52);
 Deleting tasks (see 5.5 on pg. 53);
 Manual starting / pausing / resuming / stopping of tasks (see 5.6 on pg.
53)
 Managing task schedules (see 5.7 on pg. 53);
 Viewing task statistics (see 5.8 on pg. 58);
 Using a different account to start a task (see 5.9 on pg. 59).
5.1. Categories of Anti-Virus tasks

Functions Real-time protection, On-demand protection, Updating and Managing
the Anti-Virus keys are implemented as tasks. You can start and stop tasks ei-
ther manually or using a schedule.
By the place of their creation and execution tasks can be local and group. Local
tasks can be of two categories:system and user-defined tasks.
Local tasks
Local tasks are executed only on the protected server for which they are
created.
 Local system tasks are created automatically during the Anti-Virus in-
stallation. You can modify settings for all system tasks except tasks
Scan Quarantine, Application integrity control and Application da-
tabase rollback. You cannot rename or delete system tasks. You can
launch system and user-defined on-demand scan tasks at the same
time.
Task management 49
 Local user-defined tasks. You can add new on-demand scan tasks in
the Anti-Virus console in MMC. Using the administration console of the
Kaspersky Administration Kit application, you can create new on-
demand scan, database update, database update rollback, and update
downloading tasks. Such tasks are called user-defined tasks. You can
rename, configure and delete user-defined tasks. You can start several
user-defined tasks at the same time.
Group tasks
Group and global tasks created in the Kaspersky Administration Kit Adminis-
tration Console are reflected in the Anti-Virus console in MMC. They are all
called group tasks in the Anti-Virus console. You can manage group tasks
and configure them from the Kaspersky Administration Kit application. In the
Anti-Virus console in MMC you can only view the status of group tasks.
The Anti-Virus console displays information about the tasks (see example
on Figure 9).
Figure 9. Real-time protection tasks in the Anti-Virus console window
Task management commands are listed in the shortcut menu that opens by
right-click on the task name.
Task management operations are registered in the system audit log (see 13.3 on
pg. 199).
5.2. Creating a task

You can create user-defined tasks in the On-demand scan node. Creation of
user-defined tasks is not provided in other functional components of Anti-Virus.
In order to create a new on-demand scan task:
1. Right-click the On-demand scan node and select Add task (see Figure
10).
Figure 10. An example of creating a task
This will open the Create task dialog box (see Figure 11):
Task management 51
Figure 11. The Create task dialog box
2. Enter the following information about the task:

 Name - task name, not more than 100 characters.
 Description - any additional information about the task, with maxi-
mum length 2000 characters. This information will be displayed in
the task property dialog box.
3. If you need to run the task in a low-priority process, select Execute task
in the background (for more details on Anti-Virus task priorities, see
9.3 on pg. 131).
4. Press the OK button. Task will be created. Line with information about
this task will appear in the console window.
5.3. Saving task after changing its

settings
You can change settings of a running or of a stopped (paused) task:
 If you changed settings of a running task, then for real-time protection
tasks new values of the settings will be applied immediately after you
save them, and for all other tasks - next time the task is started;
 If you changed the settings of a stopped task, the new values of the set-
tings will be applied after you save them and start the task.
To save the changed settings of a task, open the shortcut menu of the task name
and select the Save command.
Note
If after the change of the task settings you select another node in the console
tree without first selecting the Save command, a setting saving dialog box will
appear. Press Yes in this window to save the task settings or No to leave the
node without saving the changes.
Settings of the Real-time file protection task are listed in 6.2 on pg. 62.
Settings of the Scan My computer task are listed in 9.2 on pg. 112.
Update task settings are listed in 10.5 on pg. 144.
5.4. Renaming tasks

You can rename only user-defined tasks in the Anti-Virus console, but you can-
not rename system or group tasks.
In order to rename a task:
1. Right-click the task name and select Properties.
2. Enter new task name in the Properties dialog window in the Name field
and press the OK button.
Task will be created. Operation will be registered in the system audit log (see
13.3 on pg. 199).
To learn how to configure security parameters see 5.7 on pg. 53.
Task management 53
5.5. Deleting tasks

You can delete only user-defined tasks in the Anti-Virus console, but you cannot
delete system or group tasks.
In order to delete a task:
1. Right-click the task name and select Delete.
2. Press the Yes button in the Deleting task dialog box in order to confirm
the action.
The task will be deleted and the deletion operation will be registered in the sys-
tem audit log (see 13.3 on pg. 199).
5.6. Starting/pausing/resuming/stopp
ing tasks manually
You can pause or resume all tasks except the updating tasks.
In order to start/pause/resume/stop a task, right-click the task name and select
the command you wish to perform: Start, Pause, Resume or Stop.
The operation will be performed. The task status in the result panel will change
and the operation will be registered in the system audit log (see 13.3 on pg. 199).
Note
If you pause and resume an on-demand scan task, Anti-Virus will resume the
scan of the object on which the task had been paused.
5.7. Managing task schedules

 task schedule configuration (see 5.7.1 on pg. 54);
 enabling / disabling configured task schedule (see 5.7.2 on pg. 58).
Schedule settings are described in A.2 on pg. 353.
5.7.1. Configuring task schedules

You can configure the schedule of the local system and user-defined tasks in the
Anti-Virus console. You cannot configure the group task schedule settings.
Schedule settings are described in A.2 on pg. 353.
In order to configure the task schedule settings:
1. Right-click the task name the schedule of which you wish to configure
and select Properties.
2. Using the Task Properties dialog box (see Figure 12) enable schedule
for this task: check the Run by the schedule box.
Note
Fields with the schedule settings will be unavailable if the launch of this
scheduled system task is disabled by the Kaspersky Administration Kit
policy (see section 19.4 on pg. 272).
3. Configure the schedule settings in accordance with your requirements.

а) Specify the frequency for the task startup (see A.2.1 on pg. 353):
select one of the following values in the Frequency list: Every
hour, daily, weekly, At application startup, At Anti-Virus data-
base update:
o If you selected Every hour, specify the number of hours in the
Every <number> hours in the Task Start Settings settings
group;
o If you selected Every day, specify the number of hours in the
Every <number> days in the Task Start Settings settings
group;
o if you selected Weekly, specify the number of weeks in the
Every <number> weeks in the Task Start Settings settings
group; Specify weekdays in which the task will be launched (by
default the task will be launched on Mondays).
Task management 55
Figure 12. An example of dialog box Schedule settings with the Frequency setting
assigned value Weekly
b) In the Start time field, specify the time that the task will first run.
c) In the Start from field, specified that date that the schedule will be-
come effective (see A.2.2 on pg. 355).
Note
After you have specified the task startup frequency, the time of the
first task execution and the date for the schedule to be enabled,
information about the calculated time for the next task launch will
appear in the top part of the dialog box in the Next launch field.
Updated information about the calculated time of the new launch
will be displayed each time you open the Task Property of the
Schedule dialog box.
Value Task launch is prohibited by the policy of the Next launch
field is displayed if the parameters of the active policy of Kaspersky
Administration Kit prohibit launching of the system tasks on sche-
dule (for more details refer to section 19.4 on pg. 272).
4. Using the Additional tab (see Figure 13) configure the remaining sche-
dule settings in accordance with your requirements.
Task management 57
Figure 13. The Schedule settings dialog box, Additional tab
a) To specify the maximum duration of the task execution, enter the

required number of hours and minutes in the Duration field in the
Task stop settings group (see A.2.4 on pg. 356).
b) To specify the time period within 24 hours during which the task
execution will be paused, enter the From and Until values for the
duration in the Pause from… until field (see A.2.5 on pg. 357).
c) To specify the schedule disabling date, check the End schedule
date box and using the Calendar dialog box select the date on
which the schedule will be disabled (see A.2.3 on pg. 356).
d) To enable the skipped task launch function, check the Run missed
tasks box (see A.2.6 on pg. 357).
e) To enable the use of the Randomize the task start setting, check
the Randomize the task start within interval and specify the val-
ue for this setting in minutes (see A.2.7 on pg. 358).
5. Press the ОК button to save the changes you have made in the Sche-
dule settings dialog box.
5.7.2. Enabling and disabling scheduled

launch
After you have configured the task schedule once, you can enable and disable it.
After you have disabled the schedule, its settings (startup frequency, startup
time, etc.) will not be deleted and you will be able to enable the schedule again, if
required.
In order to enable or disable the schedule:
1. Right-click the name of the task for which you wish to enable or disable
the schedule and select Properties.
2. Perform one of the following actions in the Schedule settings group in
the Task Properties dialog box:
 check the Start according to schedule box to enable the sche-
dule;
 to disable the schedule uncheck the Start according to schedule
box.
5.8. Viewing task statistics

While the task is running you can view in real-time detailed information about the
task execution since the task has been launched until the current moment - task
execution statistics.
If you pause the task, the statistics information will be available in the Statistics
dialog box. After the task is completed or stopped you can view this information
in the detailed report about the task events (see 13.2.4 on pg.191).
In order to view the task execution statistics, right-click in the console window on
the name of the task statistics for which you wish to view and select Statistics.
Task management 59
5.9. Using a different user account

to launch a task
 Using a different account to start a task (see 5.9.1 on pg. 59).
 Specifying the user account for starting the task (see 5.9.2 on pg. 60).
5.9.1. About using accounts to launch

tasks
You can specify an account under which a selected task will be launched of any
functional Anti-Virus component except the Real-time protection component.
By default all tasks except the real-time protection tasks will be executed under
the Local system (SYSTEM) account. While performing real-time protection
tasks Anti-Virus intercepts the object being scanned when an application calls to
it and uses the permissions of that application.
You must specify a different account with sufficient access permissions in the
following cases:
 In the updating task, if you specified a public folder on a different com-
puter in the network as the update source;
 If you use a proxy server with in-built Windows NTLM authentication for
accessing update sources;
 In the on-demand scan tasks, if the Local System (SYSTEM) account
does not have the access right to any of the objects being scanned (for
example to the files in public folders in the network).
Note
Under Local System (SYSTEM) account you can launch updating and on-
demand scan tasks in which Anti-Virus accesses public folder on a different
computer if this computer is registered within the same domain with the pro-
tected server. In this case account Local System (SYSTEM) must have
access rights to these folders. Anti-Virus will access the computer using rights
of account Domain_name\Computer_name$.
5.9.2. Specifying the user account for

running tasks
In order to specify an account for a launch task:
1. Right-click the task name and select the Properties command.
2. Using the Task Properties dialog box open the Run as tab (see Figure
14).
Figure 14. The Task Properties dialog box, Run as tab
3. On the Run as tab (see Figure 14) perform the following:

a) Select User account.
Task management 61
b) Enter the username and the password for the user whose ac-
count you wish to use.
Note
The user that you selected must be registered on the protected
server or within the same domain as this server.
c) Press the OK button.

CHAPTER 6. REAL-TIME
PROTECTION

 About real-time protection tasks (see 6.1 on pg. 62);
 Configuring the Real-Time File Protection task (see 6.2 on pg. 62);
 The Real-Time File Protection task statistics (see 6.3 on pg. 83);
 Configuring Script monitoring: selecting actions with suspicious scripts
(see 6.4 on pg. 85);
 The Script Monitoring task statistics (see 6.5 on pg. 86).
6.1. About real-time protection tasks

The Anti-Virus provides for two real-time protection system tasks: Real-time file
protection and Scripts monitoring. For more details about the Anti-Virus Real-
time protection function refer to 1.1.1 on pg. 13.
By default Real-time protection tasks are automatically started at the Anti-Virus
startup. You can stop or restart these tasks and/or configure their schedule. You
can also pause or resume real-time protection tasks if you need to interrupt ob-
ject scan for a short-term access, for example for the purpose of data replication.
You can configure the Real-time file protection task - create a protection area
and configure the security settings for the selected nodes, configure blocking of
access from computers, apply trusted zone (see 6.2 on pg. 62).
While the Script monitoring task is running, the Anti-Virus prohibits execution of
scripts it considers dangerous. If Anti-Virus detects a suspicious script, it will per-
form the action that you have selected: allow or disallow its execution. To learn
how to allow or disallow execution of suspicious scripts see 6.4 on pg. 85.
6.2. Configuring Real-time file

protection task
By default system task Real-time file protection has settings described in Table
2. You can modify these settings - that is configure this task.
Real-time protection 63
Table 2. Default settings of the Real-time file protection task
Parameter Default value Description
Protection area Entire server You can limit the protection scope
(see 6.2.1 on pg. 65).
Security settings Common settings for You can do the following for the
the entire protection nodes selected in the server file
area; security level – resources tree:
Recommended.
 Select a different pre-defined
security level (see 6.2.2.1 on
pg. 71);
 Manually modify the security
settings (see 6.2.2.2 on pg.
74).
You can save the security set-
tings for the selected node as a
template to use later for any other
node (see 6.2.2.3 on pg. 78).
Protection mode When opened and You can select the mode for ob-
modified jects protection, i.e. define the
type of access during which the
Anti-Virus should check them. To
learn how to select the protection
mode refer to 6.2.3 on pg. 82.
For details about object protec-
tion modes refer to A.3.1 on
pg. 359.
Function Blocking Disabled You can block access from com-

access from comput- puters to the protected server at
ers the attempt of writing of infected
or suspicious objects to the serv-
er (see Chapter 7 on pg. 87).
Parameter Default value Description
Trusted zone Applied A unified list of exclusions that

If you selected Add to you can apply to the selected on-
exclusions threats by demand scan tasks and the Real-
mask not-a-virus: time file protection task.
RemoteAdmin* and Chapter 8 on pg. 99 contains
Add to exclusions information about the creation
files recommended and application of trusted zone.
by Microsoft, remote
administration Remo-
teAdmin programs and
files recommended by
Microsoft will be ex-
cluded.
In order to configure the Real-time file protection task:

1. Expand the view of the Real-time protection node in the console tree.
2. Select nested node Real-time file protection.
The server file resource tree and dialog box Security level (Standard
mode) will be displayed in the results panel (see Figure 15).
Figure 15. The Real-time file protection task is open

3. If required, configure the task settings.

4. Open the shortcut menu on the task name and select the Save com-
mand to the save changes.
To learn how to:
 Start / pause / resume / stop a task manually, see 5.6 on pg. 53.
 Start a scheduled task, see 5.7 on pg. 53.
6.2.1. Protection area in the Real-time file

protection task
 About creation of the protection area in the Real-time file protection task
(see 6.2.1.1 on pg. 65);
 Which pre-defined server areas can be included into the protection area
(see 6.2.1.2 on pg. 66);
 How you can create a protection area: exclude or include individual
sever areas from/into it (see 6.2.1.3 on pg. 67);
 About virtual protection area - drives, folders and files that are con-
nected to the server temporarily and folders and files that are created
on the server dynamically by various applications and services (see
6.2.1.4 on pg. 68);
 How to create a virtual protection area (see 6.2.1.5 on pg. 69).
6.2.1.1. Defining protection scope in the Real-

time file protection task
If the Real-time file protection task is executed with settings that have default
values, Anti-Virus will scan all objects of the server file system. If, based on secu-
rity requirements, you do not have to scan all objects, you can restrict the protec-
tion area.
In the Anti-Virus console the protection area is displayed as a server file resource
tree that Anti-Virus can scan.
Server file resource tree nodes are displayed as follows:
The node is included into the protection area.
The node is excluded from the protection area.
At least one of the nodes nested in this node is excluded from the protection
area or the security parameters of the nested node(s) differ from the security
parameters of this node.
Note that the parent node will be marked with icon if you select all nested
nodes but not the parent node itself. In this case files and folders that do not
appear in this node will not be automatically included into the protection
area. In order to include them into the protection area you can include their
parent node into the protection area. Alternatively you can create their "vir-
tual copies" in the Anti-Virus console and add them to the protection area.
The names of virtual nodes of the protection area are displayed in blue color font.
6.2.1.2. Pre-defined protection areas
Once you open the Real-time file protection task a tree of server file resources
will be displayed in the result panel (see Figure 16).
Note
The tree of file resources will display nodes for which you have reading privilege
based on the Microsoft Windows security settings.
Figure 16. Example of a server file resource tree in the Anti-Virus console
The server file resource tree contains the following pre-defined protection areas:
 Hard drives. Anti-Virus scans files on the server's hard drives.

 Removable drives. Anti-Virus scans files on removable media, for ex-
ample on CDs or USB drives.
 Network places. Anti-Virus scans files that are written into network
folders or read from them by applications running on the server. Anti-
Virus does not scan files when such files are called to by applications
from other computers.
 Virtual drives. You can include into the protection area dynamic folders
and files and drives that are temporarily connected to the server, for ex-
ample, common drives of a cluster (create a virtual protection area).
Note
Virtual drives created using a SUBST command are not reflected in the server
file resource tree in the Anti-Virus console. In order to include objects on a vir-
tual drive into the protection area, include a server folder with which this virtual
drive is associated into the protection area.
Connected network drive will not be reflected in the server file resource tree
either. In order to include objects on a network drives into the protection area,
specify a path to a folder corresponding to this network drive in UNC format.
6.2.1.3. Defining a protection area

In order to create protection area:
1. Open the Real-time file protection task.
2. Perform the following actions in the server file resource tree in the result
panel:
 In order to exclude an individual node from the protection area, ex-
pand the protection area tree in order to display the required node
and uncheck the box next to its name.
 In order to select only those node that you wish to include into the
protection area uncheck the My computer box and then:
o If you wish to include all drives of one type into the protection
area, check the box next to the name of the required disk type.
o If you wish to include an individual disk of a certain type into
the protection area, expand the node that contains the list of
drives of this type and check the box next to the name of the
required drive. (for example, in order to include all removable
drives on the server check the Removable drives box).
o If you would like to include into the protection area only a sepa-
rate folder on the disk, expand the server file resource tree in
order to display the folder that you wish to include into the pro-
tection area and check the box next to its name. Using the
same procedure you can also include files into the protection
area.
mand in order to save the changes in the task.
Attention!
You can launch task Real-time file protection only if at least one of the server
file resources tree nodes is included into the protection area.
Note
If you specify a complex protection area, for example specify various security
parameter values for multiple nodes in the server file resource tree, this may
somewhat slowdown the scan of objects the they are accessed.
6.2.1.4. About virtual protection area
Anti-Virus can scan not only existing folders and files on hard and removable
drives, but also drives that are connected to the server temporarily, for example
common cluster drives and folders and files that are dynamically created on the
server by various applications and services.
If you included all server objects into the protection area, all these dynamic
nodes will automatically be included into the protection area. However, if you
would like to specify special values for the security settings of these dynamic
nodes or if you selected for real-time protection not the entire server, but sepa-
rate areas to include into the protection are dynamic drives, files or folders, you
will have to first create them in the Anti-Virus console - that is to specify the vir-
tual protection area. These drives, files and folders being created will exist only in
the Anti-Virus console, but not in the file structure of the protected server.
If, while creating a protection area, you select all nested folders or files without
selecting the parent folder, then all dynamic folders or files which will appear in it
will not be automatically included into the protected area. You should create their
"virtual copies" in the Anti-Virus console and add them to the protection area.
About creation of the virtual protection area in the Real-time file protection task
see 6.2.1.5 on pg. 69.
About creation of the virtual protection area in the on-demand scan tasks see
9.2.1.5 on pg. 118.
6.2.1.5. Creating virtual protection scopes:

adding dynamic drives, folders and files to
the protection area
In order to add a virtual drive into the protection area:
1. In the console tree expand the Real-time protection node and select
the nested Real-time file protection node.
2. Open the shortcut menu in the result panel in the server file resource
tree on the Virtual drives node and select a name for the virtual drive
being created in the list of available names (see Figure 17).
Figure 17. Selecting name for a virtual drive
3. Check box next to the drive added in order to include the drive into the
protection area.
mand in order to save changes in the task.
In order to add a virtual folder or a virtual file into the protection area:
2. Right-click the node into which you wish to add a folder or a file in the
results panel in the server file resources tree and select Add virtual
folder or Add virtual file.
Figure 18. Adding a virtual folder
3. In the entry field specify name for folder (file). You can specify file name
mask using special symbols * and ?.
4. In the line with the name of the folder created (or file created) check box
in order to include this folder (file) into the protection area.
mand to save changes in the task.
6.2.2. Configuring security settings for a

selected node
You can configure settings of the selected node in the server file resource tree as
follows:
 Select one of the pre-defined security levels (minimum, recommended
or maximum) see 6.2.2.1 on pg. 71);
 Manually modify the settings of the node selected (see 6.2.2.2 on pg.
74).
You can save the set of security settings of the selected node into a template so
that you can use this template later for other nodes (see 6.2.2.3 on pg. 78).
6.2.2.1. Selecting pre-defined security levels in

the Real-time file protection task
You can apply one of the following pre-defined security levels for the nodes se-
lected in the server file resources tree: a) minimum, b) recommended and c)
maximum. Each of these levels has its own set of security settings. Parameter
values of the pre-defined security levels are provided in Table 3 on pg. 72.
Minimum security level
You can set the Maximum Speed security level on the server if, apart from
the use of Anti-Virus on the servers and workstations, there are additional
computer security measures in your network, for example, firewalls are set
up, network user security policies are in place.
Recommended
Recommended is set by default. This level was admitted by Kaspersky
Lab's experts to be sufficient for protection of file servers in most networks. It
ensures the optimum combination of the protection quality and the degree of
the effect on the performance of the servers being protected.
Maximum protection
Use this security level if you impose high requirements to the computer se-
curity in the network.
Table 3. Pre-defined security levels and

corresponding security settings
Security level/settings Minimum Recommended Maximum
Detectable objects by extension by format by format

(see A.3.2 on pg. 360)
Scan of new and mod- Enabled Enabled Disnabled

ified objects only
(see A.3.3 on pg. 362)
Actions to be per- disinfect, delete if disinfect, delete if disinfect, delete if

formed with infected disinfection is not disinfection is not disinfection is not
objects (see A.3.5 on possible possible possible
pg. 364)
Actions to be per- (quarantine) (quarantine) (quarantine)

formed with suspi-
cious objects (see
A.3.6 on pg. 366)
Excluding objects (see no no no

A.3.8 on pg. 369)
Excluding threats (see no no no

A.3.9 on pg. 370)
Maximum object scan 60 seconds 60 seconds 60 seconds

time (see A.3.10 on
pg. 371)
Maximum size of a 8 8 no
detected composite
object, MB (see A.3.11
on pg. 372)
NTFS streams scan yes yes yes

(see A.3.2 on pg. 360)
Boot sector scan (see yes yes yes

A.3.2 on pg. 360)
Security level/settings Minimum Recommended Maximum
Scanning composite packed objects*  SFX archives*  SFX-archives*

objects (see A.3.4 on
 packed ob-  packed ob-
pg. 363)
jects* jects*
 embedded  embedded
OLE-objects* OLE-objects*
* New and mod- * New and mod- *All objects

ified only ified only
Note
Note that security settings Protection mode, Use iChecker and Use iSwift are
not included into the set of settings of the pre-defined security levels. By default
these settings are enabled. If you change the status of settings Protection
mode, Use iChecker or Use iSwift, the selected security level will be not be
changed.
In order to select one of the pre-defined security levels:

2. In the server file resource tree select the node for which you wish to
choose a pre-defined security level.
3. Make sure that this node is included into the protection area (see
6.2.1.3 on pg. 67).
4. Using the Security level dialog box (see Figure 19) select a security
level you wish to apply from the Security level box.
Figure 19. The Security level dialog box
The dialog box will display the list of the values of security settings cor-
responding to the security level you selected.
6.2.2.2. Configuring security settings manually

By default common security settings are used for the entire protection area in the
Real-time file protection task. Their values correspond to the values of the pre-
defined security level Recommended. For the default values of the security set-
tings see 6.2.2.1 on pg. 71.
You can modify the default values of the security settings by configuring them as
common settings for the entire protection area or as different settings for different
nodes in the server file resource tree.
The scan settings that you configure for the selected node will automatically be
applied to all nodes nested into it. However, if you configure security settings for
a nested node separately, the security settings of the parent node will not apply
to it.
In order to configure security settings of the selected node:

2. Using the result panel in the server file resource tree select the node for
which you wish to configure the security settings.
3. Press the Settings button in the bottom part of the dialog box.
The Security settings dialog box will be displayed.
Note
To learn how to apply a security parameter template to a node, refer to
6.2.2.3 on pg. 78.
4. Configure the required security settings of the selected node in accor-

dance with your requirements:
 Perform the following in the General tab (see Figure 20):
o Under the Protection scope heading, specify whether the An-
ti-Virus will scan all protection areas or objects of certain for-
mats or having certain extensions and whether Anti-Virus will
scan disk boot sectors and master boot records and alternative
NTFS streams (see A.3.2 on pg. 360);
o Under the Productivity heading specify whether Anti-Virus will
scan all objects in the selected area or only new and modified
objects (see section A.3.3 on pg. 362);
o Under the Process compound objects heading, indicate
which composite objects will be scanned by the Anti-Virus (see
A.3.4 on pg. 363).
Figure 20. Dialog box Security settings, the General tab
 Perform the following on the Actions tab (see Figure 21):

o Actions to be performed with infected objects (see A.3.5 on pg.
364);
o Actions to be performed with suspicious objects (see A.3.6 on
pg. 366);
o Actions to be performed with objects depending on the type of
threat (see A.3.7 on pg. 368).
Figure 21. The Settings dialog box, the Actions tab
 Perform the following on the Performance tab if necessary (see

Figure 22):
o Excluding objects (see A.3.8 on pg. 369);
o Excluding threats (see A.3.9 on pg. 370);
o Maximum object scan time (see A.3.10 on pg. 372);
o Maximum size of a composite object to be scanned (see
A.3.11 on pg. 372);
o Use iChecker technology (see A.3.12 on pg. 373);
o Use iSwift technology (see A.3.13 on pg. 374).
Figure 22. The Settings dialog box, the Performance tab
5. After you have configured the required security settings, open the short-
cut menu on the task name and select the Save command in order to
save the changes in the task.
6.2.2.3. Working with templates in Real-time

Protection tasks
 Saving security settings to a template (see 6.2.2.3.1 on pg. 79);
 Viewing security settings in a template (see 6.2.2.3.2 on pg. 80);
 Applying a template (see 6.2.2.3.3 on pg. 81);
 Deleting a template (see 6.2.2.3.4 on pg. 82).
6.2.2.3.1. Saving security settings set to a template
After you have configured the security settings of any of the nodes in the server
file resource tree for the Real-time file protection you can save their values into
a template in order to save apply it to any other node.
In order to save the set of the security parameter values into a template:
2. In the server file resource tree select the node which security settings
you wish to save.
3. Press the Settings button in the bottom part of the dialog box.
4. In the General tab of the Protection area settings press the Save to a
template button.
5. In the Template properties dialog box (see Figure 23) perform the fol-
lowing:
 Enter the name of the template into the Template name field.
 Enter any additional information about the template into the De-
scription field.
Figure 23. The Template properties dialog box
6. Press ОК. Template with the set of the parameter values will be saved.
6.2.2.3.2. Viewing security settings in a template
To view security settings in a template that you have created:

1. Expand the Real-time Protection node of the console tree.
2. Open the context menu on the Real-time file protection task and se-
lect the Templates command (see Figure 24).
Figure 24. The Templates dialog box
The Templates dialog box displays a list of templates that you can ap-
ply to the Real-time protection task.
3. To view the information and security settings in a template, select the
template from the list and click the View button (see Figure 25).
Figure 25. The <Template name> dialog box, Settings tab
The General tab displays the template name and additional information
about a template; The Settings tab lists the security settings saved in the
template.
6.2.2.3.3. Applying a template
In order to apply template with the set of values of the security settings to the
selected node:
1. Save the security settings into the template (see 6.2.2.3.1 on pg. 79).
3. Using the result panel in the server file resource tree, right-click the
node to which you wish to apply the template, select Apply template.
4. Select the template you wish to apply in the Templates dialog box.
Note
If you apply a template to a parent node, the security settings from the template
will be also applied to all nested nodes except those for which you have confi-
gured security settings separately.
In order to apply the security settings from the template to all nested nodes, be-
fore you apply the template, you must uncheck the parent node in the server's
file resources tree and then - check it again. Apply the template to the parent
node. All nested nodes will have the same security settings as the parent node.
6.2.2.3.4. Deleting a template
To delete a template:
1. Expand the Real-time Protection node of the console tree.
2. Open the context menu on the Real-time file protection task and se-
lect the Templates command (see Figure 24).
3. In the Templates dialog box, select the template from the template list
that you want to delete and click the Delete button.
4. Click Yes in the confirmation window. The selected template will be de-
leted.
6.2.3. Selecting protection mode

You can select the protection mode. For details about this setting refer to A.3.1
on pg. 359.
In order to select an object protection mode:
1. In the console tree expand node Real-time protection.
2. Open the shortcut menu on the Real-time file protection task and se-
lect Properties.
3. Using the Properties dialog box, switch to the General tab (see Figure
26), select protection mode that you wish to set and press the OK but-
ton.
Figure 26. The Task Properties dialog box, General tab
6.3. Real-time file protection task

statistics
While the Real-time file protection task is being executed you can view in real
time detailed information about the number of objects processed by Anti-Virus
since it was started until the current moment - task execution statistics.
In order to view the Real-time file protection task statistics:
1. Expand the view of the Real-time protection node in the console tree.
2. Right-click the Real-time file protection task and select Statistics.
The following information about objects processed by Anti-Virus since it was

started until the current moment will be displayed in the Task status dialog box.
Field Description
Threats detected The number of detected threats, for example, if

Anti-Virus detects one malicious program in five
objects, the value in this field will be incre-
mented by one.
Infected objects Total number of detected infected objects and

detected number of infected objects
Suspicious objects Total number of detected suspicious objects

detected
Objects not disinfected Number of objects that Anti-Virus did not disin-
fect it because: а) the type of the threat con-
tained in the object does not provide for disinfec-
tion; b) objects of this type cannot be disin-
fected; c) an error occurred during the disinfec-
tion
Objects not Number of objects that Anti-Virus must have

quarantined quarantined, but was unable to do it due to an
error, for example due to insufficient disk space
Objects not deleted Number of objects that Anti-Virus attempted to

deleted but was unable to do it: for example,
access to this object was blocked by another
program
Objects not scanned Number of objects in scan scope that Anti-Virus

failed to scan because, for example, access to
the object was blocked by another program
Objects not backed up Number of objects copies of which Anti-Virus

attempted to save to Backup but was unable to
due to an error
Scan errors Number of objects during processing of which

Anti-Virus encountered error.
Objects disinfected Number of objects disinfected by Anti-Virus
Objects quarantined Number of objects quarantined by Anti-Virus

Objects backed up Number of files copies of which Anti-Virus saved

to Backup
Objects deleted Number of objects deleted by Anti-Virus
Password protected Number of objects (for example archives) that

objects Anti-Virus skipped as they were password-
protected
Corrupted objects Number of objects skipped by Anti-Virus as their

format is corrupted
Objects scanned Total number of objects scanned by Anti-Virus
6.4. Configuring the Script

monitoring task
By default the Script monitoring system task uses the settings described
in Table 4. You can modify the values of these settings to customize the task.
Table 4. Default settings of the Script monitoring task
Option Default value Description
Execution of in- Blocked The Anti-Virus always blocks execu-

fected scripts tion of scripts, which it recognizes as
infected.
Execution of sus- Blocked You can specify the actions, which the
picious scripts Anti-Virus will perform over scripts that
it recognizes as suspicious: block or
allow their execution.
Trusted zone Applied General list of exclusions, which you

The list of exclusions can use in the Script monitoring
is empty task.
Chapter 8 on pg. 99 contains informa-
tion about creation and use of the
trusted zone.
To configure the Script monitoring task:

1. Expand the Real-time protection node in the console tree.
2. Open the context menu of the Script monitoring task and select its
Properties.
The Properties: Script monitoring dialog will open.
3. Use the Actions to be performed on suspicious scripts group of set-
tings to allow or block execution of suspicious scripts:
 In order to allow execution of suspicious scripts select Allow ex-
ecution;
 In order to prohibit execution of suspicious scripts select Block ex-
ecution.
4. Use the Trusted zone group of settings to enable or disable the trusted
zone:
 To enable the trusted zone, check the Apply trusted zone box;
 To disable the trusted zone, uncheck the Apply trusted zone box.
For details about addition of scripts to the list of trusted zone excep-
tions, please see section 8.2.3 on pg. 105.
5. To save the changes press OK in the Settings: Script monitoring di-
alog box.
6.5. Script monitoring task statistics

While the Script monitoring task is being executed you can view in real time
information about the number of scripts processed by Anti-Virus since it was
started until the current moment - task execution statistics.
In order to view the task statistics:
2. Right-click the Script monitoring task and select Statistics.
The following information will be displayed in the Statistics dialog box:
Field Description
Scripts blocked number of prohibited scripts
Dangerous scripts number of malicious scripts detected
Number of suspicious scripts number of suspicious scripts detected
Processed scripts total number of processed scripts

CHAPTER 7. BLOCKING ACCESS
FROM COMPUTERS IN THE
REAL-TIME FILE
PROTECTION TASK

 about blocking access from computers to the protected server (see 7.1
on pg. 87);
 enabling / disabling of automatic blocking of access from computers
(see 7.2 on pg. 88);
 configure settings of automatic blocking of access from computers (see
7.3 on pg. 89);
 excluding computers from the scope of automatic blocking (creating a
list of trusted computers) (see 7.4 on pg. 91);
 preventing virus outbreaks (see 7.5 on pg. 92);
 viewing the list of computers to which access to the server is prohibited
(see 7.6 on pg. 94);
 manual blocking of access from computers (see 7.7 on pg. 95);
 unblocking access from computers (see 7.8 on pg. 97);
 viewing the blocking statistics (see 7.9 on pg. 97).
7.1. About blocking access from

computers to the protected
server
While the Real-Time File Protection task is executed, you can temporarily block
access from infected computers to the protected server.
You can block infected computers using two methods:
 Enable automatic computer blocking. Once any computer makes an

attempt to write an infected or a suspicious object onto the protected
server, it will temporarily block access from the computer to the files on
the server. By default the function of automatic blocking of access from
infected computers is disabled.
 Manually block the infected computer. If you have information that
any computer within the local area network is infected, you can manual-
ly block access from it to the protected server: add the computer to the
blocking list and specify the time during which objects on the protected
server will be unavailable to it.
You can unblock access from the computer to the server at any time.
All operations of blocking or unblocking of access from computers are registered
in the system audit log.
The list of blocked computers is saved automatically between the Anti-Virus ses-
sions.
7.2. Enabling or disabling automatic

blocking of access from
computers
In order to enable or disable the function of blocking access from computers:
1. Expand the Real-time file protection node in the console tree, then -
Real-time protection node in order to display nested node Blocking
 To enable automatic blocking of access from computers to server,
right-click the Blocking access from computers node and select
the Enable command.
 To disable automatic blocking of access from computers to server,
right-click the Blocking access from computers node and select
the Disable command.
Blocking Access from Computers in the Real-Time File Protection Task 89
Note
If you enable a function of automatic blocking of access from computers, it
will be enabled only when the Real-time file protection task is running.
Once you disable the automatic blocking function, all computers in the block-
ing list will be granted access to the files on the server.
7.3. Configuring settings of

automatic access blocking
from computers
This section contains a description of enabling and configuring automatic block-
ing of access from computers to the server. For description of the blocking set-
tings refer to A.4 on pg. 375.
In order to configure the settings of automatic blocking of access from comput-
ers:
1. Expand the Real-time file protection node in the console tree, then -
Real-time protection node in order to display nested node Blocking
2. Right-click the Blocking access from computers node and select
Properties.
3. On the Blocking access from computers tab in the Properties dialog
box, make sure that box Enable blocking the access from computers
to the server is checked (see Figure 27).
Figure 27. The Blocking access from computers Properties dialog box, the General tab
4. In the Actions on computer settings group check boxes next to actions

that the Anti-Virus will perform if a computer attempts to write an in-
fected or a suspicious object on the server (see A.4.2 on pg. 376).
5. If you selected Block access from computer to the server, specify a
time period for which you wish to block access from the computers to
the server in days, hours or minutes.
6. If you selected Run executable file, press the list button in the
Executable file dialog box (see Figure 28), specify the executable file
(name and full path to it) and the account under which the file will be
executed.
Figure 28. The Executable file dialog box
7.4. Excluding computers from

automatic blocking (Trusted
computers)
You can create a list of trusted computers (for more details about this setting
refer to A.4.3 on pg. 377).
In order to add a computers to the list of trusted computers:
1. Expand the Real-time protection node in the console tree, then Real-
time file protection node in order to display nested node Blocking
2. Open the shortcut menu on the Blocking access from computers
node and select Properties.
3. Using the General tab of the Blocking access from computers Prop-
erties dialog box (see Figure 27) make sure that the Enable blocking
of access from computers to the server box is checked (see A.4.1 on
pg. 375).
4. Check the Do not block specified computers box in the Trusted
computers settings group and perform the following actions:
a) Press the Add button. An Add computer dialog box will open (see
Figure 29).
Figure 29. The Add Computer dialog box
b) Specify the computer's network name or IP address:

o Select Use network computer name and specify the comput-
er's NetBIOS name;
o Specify the static IP address: select Use network IP address
or enter the computer's IP address;
o Specify a range of IP addresses: select Use IP address
range, enter first IP address of the range in the Start IP ad-
dress and the last IP address in the End IP address field. All
computers IP addresses of which are within the specified
range will be treated as trusted computers.
5. Press OK in the Properties dialog box.
7.5. Preventing virus outbreaks

This section contains a description of enabling and disabling of the function of
prevention virus outbreaks. Description of Virus outbreak prevention is provided
in A.4.4 on pg. 378.
In order to enable / disable Virus outbreak prevention:

1. Expand the Real-time protection node in the console tree, then - Real-
time file protection node in order to display nested node Blocking
node and select Properties.
3. Switch to the Additional tab (see Figure 30) in the Blocking access
from computers Properties dialog box.
Figure 30. The Blocking access from computers Properties dialog box, the Additional
tab
4. Perform one of the following actions on the Additional tab:

 In order to enable Virus outbreak prevention:
a) check the Increase security level if the number of comput-
ers exceeds box;
b) indicate the number of computers with blocked access that

when reached would cause the Anti-Virus to switch to a higher
security level;
c) If required, enable the function of restoring the security level
when the number of computers with blocked access has de-
creased to the value indicated Restore security level if the
number of computers is lower than.
 In order to disable Virus outbreak prevention, uncheck the In-
crease security level if the number of computers exceeds box.
7.6. Viewing the list of computers to

which access to the server is
prohibited
Attention!
Computers in the server access blocking list are not allowed to access the pro-
tected server only when the Real-time file protection task is running and the
function of automatic blocking of access from computers is enabled.
In order to view the list of computers access for which to the protected server is
currently prohibited:
the Real-time file protection node.
2. Open nested node Blocking access from computers (see Figure 31).
Figure 31. The Blocking access from computers dialog box
The result panel will display the following information about computers from
which access to the server is prohibited:
Field Description
Computer Information about the computer in the blocking list ob-

tained by Anti-Virus (network name, IP address)
Blocking date Date and time when the access from a computer was
blocked displayed using the format specified by the
Microsoft Windows regional settings of the computer
on which Anti-Virus console is installed
Blocking end date Date and time when access to the computer will be
unblocked in the format specified by the Microsoft
Windows regional settings of the computer on which
Anti-Virus console is installed
7.7. Blocking access from

computers: Blocking access
from a computer manually
If you have information that the computer is infected, you can manually block
access from it to the protected server.
Attention!
Computers that are in the access blocking list are not allowed to access the pro-
tected server only when the Real-time file protection task is running and the
automatic blocking of access from computers is enabled.
In order to manually block access from a computer to the server:

2. Make sure that the automatic blocking of access from computers is
enabled (see 7.2 on pg. 88).
nested node and select Add to the blocking list.
4. Using the Adding computer to the blocked list dialog box (see Figure
32) specify the network name of the computer whose server access you
wish to block.
Note
In the Computer Name field specify only computers' NetBIOS names;
but not DNS addresses.
Figure 32. The Adding computer to the blocked list dialog box

 select Blocking access from the computer to the server for the
period of: and specify the period for which the access from the
computer to the server will be blocked;
 select Blocking access from computer to the server until: and

specify the date and time when the computer will be unblocked.
7.8. Unblocking access from a

computer
You can unblock access from a computer to the protected server at any time.
In order to unblock access from a computer:
2. Select nested node Blocking access from computers.
3. In the Blocking access from computers window, in the list of blocked
computers right-click the line with information about computers that you
wish to unblock and select Allow access from computer.
7.9. Viewing blocking statistics

You can view information about the number of computers access from which to
the protected server has been blocked since the last time the Anti-Virus was
started - blocking statistics.
In order to view the blocking statistics:
2. Expand node Real-time file protection.
3. Right-click the Blocking access from computers task and select Sta-
tistics (see Figure 33).
Figure 33. The Blocking server access statistics dialog box
Field Description
Computers in the block- The number of computers currently in the

ing list access blocking list
Infection attempts from The number of attempts to write infected or

trusted computers suspicious objects to the server from the
trusted computers since the moment when the
automatic blocking was enabled
Total number of comput- The total number of computers automatically

ers blocked during opera- added to the blocking list when they attempted
tion to write infected or suspicious objects to the
server from the trusted computers since the
moment when the automatic blocking was
enabled
CHAPTER 8. TRUSTED ZONE

 about Anti-Virus trusted zone (see section 8.1 on pg. 99);
 adding exclusions to the trusted zone (see section 8.2 on pg. 101);
 applying a trusted zone (see section 8.3 on pg. 109).
8.1. About Anti-Virus trusted zone

You can create a unified list of exclusions from the protected (scan) area and,
when required, apply these exclusions in the selected on-demand scan tasks
and in the Real-time Protection task. This list of exclusions name is trusted
zone.
The following objects can be located in the Anti-Virus trusted zone:
 file accessed by the processes of applications susceptible to file inter-
ceptions (trusted processes);
 files accessed during the backup copying operations (files backup oper-
ations);
 objects specified by the user by their location and/or threat in them

(exclusion rules).
By default the trusted zone is applied in the Real-time file protection and Script
monitoring tasks, system tasks and newly created on-demand scan user tasks.
Trusted processes (used only in the Real-time file protection task)
Some applications on the server may become unstable if files to which they
call are intercepted with the Anti-Virus application. Such applications in-
clude, for example, system domain controller applications.
In order to avoid disruptions of stable operation of such applications, you
can disable real-time protection of files to which running processes of these
applications call - that is to create a list of trusted processes in the trusted
zone.
Microsoft Corporation recommends excluding from the real-time protection
scope file of some such applications as they are not susceptible to infection.
You can view the list of files recommended to be excluded at Microsoft Cor-
poration website http://www.microsoft.com/, Article code: KB822158.
You can apply the trusted zone with the Trusted processes function enabled
or without enabling this function.
Please note that if the executable process file is modified, for example, if it is
updated, Anti-Virus will exclude it from the list of trusted processes.
Backup operations (used in the Real-time file protection task only)
You can disable real-time protection of files accessed by the backup file co-
pying operation during the time while this task is being executed: Anti-Virus
will not scan files opened for reading by the backup copying application with
attribute FILE_FLAG_BACKUP_SEMANTICS.
You can apply the trusted zone with disabling the real-time file protection for
the time the backup copying is carried on or without disabling this function.
Exclusion rules (used in the Real-time file protection and Script monitoring
tasks and on-demand scanning tasks)
You can exclude objects from scan in individual tasks without need for the
trusted zone or you can compile a unified list of objects to be excluded from
the scan in the trusted zone. You can keep this list and, when required, you
can apply exclusions in the tasks of the selected functional components
Real-time file protection, Script monitoring and on-demand scanning
tasks.
You can add to the trusted zone objects by their location on the server, by
the name of the threat detected in the object or by both attributes combined.
By adding a new exception to the trusted zone you set up a rule for it
(attributes using which Anti-Virus will skip objects) and specify to which func-
tional component (Real-time protection and/or On-demand scan) this
rules applies.
According to the rule you configure Anti-Virus can skip in the tasks of the
specified components:
 specified threats in the specified areas of the server;
 all threats in the specified areas of the server;
 specified threats in the entire scan area.
If you selected Add to exclusions remote administration programs and
Add to exclusions files recommended by Microsoft during the installa-
tion of Anti-Virus, these exclusion rules will be applied to the Real-time file
protection task and in the system on-demand scan tasks except Scan Qu-
arantine and Application integrity control.
Trusted zone 101
8.2. Adding exclusions to the trusted

zone
 adding processes to the list of trusted processes list (see section 8.2.1
on pg. 101);
 disabling the real-time file protection for the time of backup copying (see
 adding exclusion rules (see section 8.2.3 on pg. 105).
8.2.1. Adding process to the list of trusted

processes
In order to avoid disruptions of stable operation of applications sensitive to file
interceptions, you can disable real-time protection of files to which running
processes of these applications call - that is to create a list of trusted processes
in the trusted zone.
You can add a process to the list of trusted processes using one of the following
methods:
 select this process from the list of processes currently running on the
protected server;
 select an executable file of the process regardless of whether the
process is currently running.
Note
If the executable file of a process has been modified, Anti-Virus excludes this
process from the list of trusted processes.
In order to add a process to the list of trusted processes:

1. Open the shortcut menu on the Anti-Virus snap-in in the Anti-Virus con-
sole in MMC and select the Trusted zone command.
2. On the, Trusted Processes tab in the Trusted zone dialog box (see
Figure 34) and enable the Trusted Processes function: check the Do
not monitor file activity of the specified processes box.
Figure 34. The Trusted zone dialog box, the Trusted Processes tab
3. Add a trusted process from the list of running processes or specify an

executable file of the process.
 In order to add a process from the list of running processes:
a) Press the Add button.
b) In the Adding a trusted process dialog box (see Figure 35)
process the Processes button.
Trusted zone 103
Figure 35. The Adding a Adding a trusted process dialog box
c) In the Active Processes dialog box (see Figure 36) select the
required process and press the OK button.
In order to find the required process in the list, you can sort the
processes by name, PID or by the path to the executable file of
the process.
Figure 36. The Active Processes dialog box

Note
In order to view active processes on the protected server you
must be included into the administrator's group of the protected
server.
The selected process will be added to the list of trusted

processes in the Trusted Processes dialog box.
 In order to select an executable file of the process on the drive of
the protected server, perform the following:
a) press the Add button on the Trusted Processes tab,
b) Press Browse in the Adding a trusted process dialog box
and select an executable process file on the local drive of the
protected server. Press the OK button.
The name of the file and path to it will then be displayed in the
Adding a trusted process dialog box.
Specifying the path you can use system environmental va-
riables; you can’t use user’s environmental variables.
Note
Anti-Virus does not consider a process to be a trusted process
if the path to the executable process file is different from the
path specified by you in the Path to File field. If you wish a
process launched from a file that may be located in any folder
to be considered trusted, then enter character * in the Path to
file field. Specifying the path you can use environment va-
riables.

The name of the selected executable process file will then be
displayed in the List of trusted processes in the Trusted
processes dialog box.
4. Press OK to save the changes.
5. Make sure that the trusted zone is applied in task Real-time File Pro-
tection (see section 8.3 on pg. 109).
Trusted zone 105
8.2.2. Disabling the real-time file protection

task for the time of backup copying
You can disable real-time protection of files accessed by the backup file copying
operation during the time while this task is being executed: Anti-Virus will not
scan files opened for reading by the backup copying application with attribute
FILE_FLAG_BACKUP_SEMANTICS.
Note
Information about the number of files skipped by Anti-Virus skips during the
backup copying operations is not displayed in the Statistics dialog box of the
Real-Time File Protection task.
In order to disable real-time file protection during the backup copying:

2. Perform one of the following actions on the Trusted Processes of the
Trusted zone dialog box:
 in order to disable real-time protection of files accessed by the
backup file copying task, check the Do not monitor backup copy-
ing file operations box.
 in order to enable real-time protection of files accessed by the
backup file copying task, uncheck the Do not monitor backup co-
pying file operations box.
4. Make sure that the trusted zone is applied in task Real-time File Pro-
tection (see section 8.3 on pg. 109).
8.2.3. Adding exclusion rules

In order to add an exclusion rule:
2. Press the Add button on the Exclusion rules tab of the Trusted Zone
dialog box.
Figure 37. The Trusted zone dialog box, the Exclusion rules tab
The Exclusion rule dialog box will open.

Trusted zone 107
Figure 38. The Exlusion rule dialog box
3. Indicate the rule according to which Anti-Virus will exclude the object.
Note
In order to exclude specified threats within the specified areas check the
Object box and the Threats box.
In order to exclude all threats within the specified areas check the Ob-
ject box and uncheck the Threats box.
In order to exclude specified threat within the entire scan area, uncheck
the Object box and check the Threats box.
 If you wish to specify the object's location, check the Object box,
press the Change button and in the Select Object dialog box (see
Figure 39) specify the object that will be excluded from scanning
and then press the ОК button:
o Predefined Scope. Select in the list one of predefined scan-
ning areas.
o Disc or folder. Specify the server drive or folder on server or
in the local network.
o File. Specify the file on server or in the local network.
o File or URL of the script. Select the script on a protected
server, in local network or in the Internet.
Note
You can specify masks for the names of objects using characters ?
and *.
Figure 39. The Select Object dialog box
 If you wish to specify the name of the threat, press the Change but-
ton and add the names of the threats in the List of exclusions
(see Figure 40) dialog box (for more details about this setting refer
to section A.3.9 on pg. 370).
Trusted zone 109
Figure 40. The List of exclusions dialog box
4. In the Exclusion rule dialog window under the Rule application scope
heading check the boxes next to the names of the functional compo-
nents in whose tasks exclusion rules will be applied.
5. Press OK.
 In order to edit the rule, select the rule you wish to edit in the
Trusted zone dialog box, on the Exclusion tab, press the Edit but-
ton and make a change in the Exclusion rule dialog box.
 In order to delete a rule, select the rule you wish to delete in the
Trusted zone dialog box, on the Exclusion tab, press the Delete
button and confirm the deletion.
6. Press OK in the Trusted zone dialog box.
8.3. Applying a trusted zone

By default the trusted zone is applied in the Real-time protection tasks, system
tasks and newly created on-demand scan tasks.
You can enable or disable the use of trusted zone in individual tasks in the Task
Properties dialog box.
After you enable or disable a trusted zone, exclusions in this area will be imme-
diately applied to or removed from the Real-Time File Protection and Script
monitoring, and in to/from the on-demand scan tasks - next time the task is
launched.
In order to apply exclusions to a trusted zone in a task:
1. In the MMC console open the shortcut menu on the task name and
check the Apply Trusted zone box on the General tab in the Task
Properties dialog box.
CHAPTER 9. ON-DEMAND SCAN

 about on-demand scan tasks (see 9.1 on pg. 111);
 configuring on-demand scan tasks (see 9.2 on pg. 112);
 execution of the background on-demand scan tasks (see 9.3 on pg.
131);
 on-demand scan task statistics (see 9.4 on pg. 133).
9.1. About on-demand scan tasks

The Anti-Virus provides for four on-demand scan system tasks:
 The Scan My Computer task is executed by default on a weekly basis
according to the schedule. The Anti-Virus scans all objects of the pro-
tected server using security settings with values corresponding to the
Recommended level (see 9.2.2.1 on pg. 120). You can modify the set-
tings of the Scan My Computer task.
 The Scan Quarantine is executed by default according to the schedule
after each bases update. The Anti-Virus scans the quarantine folder us-
ing settings listed in 11.3 on pg. 160. You cannot modify the Scan Qua-
rantine task settings.
 The Scan at system startup task is executed at the Anti-Virus startup.
The Anti-Virus scans the server startup objects, Anti-Virus software
modules, boot sectors and master boot records of hard and removable
drives, system memory and memory of processes. The Anti-Virus uses
the Recommended pre-defined security level (see 9.2.2.1 on pg. 120).
You can change the schedule settings or disable the launch of this task.
 The Application integrity control task is executed according to the
schedule at the Anti-Virus startup. The Anti-Virus verifies the authentici-
ty of its executable modules. You cannot modify the Application inte-
grity control task settings. You can change the schedule settings or
disable the scheduled launch of this task.
Additionally you can create user-defined on-demand scan tasks. For example
you can create a task for scanning public access folders on the server.
The Anti-Virus may run several on-demand scan tasks at the same time.
For more details on the categories of tasks, provided by the Anti-Virus, according
to where they were created or saved refer to 5.1 on pg. 48.
For more details about the Anti-Virus Real-time protection and On-demand pro-
tection functions refer to 1.1.1 on pg. 13.
For managing tasks in the Anti-Virus console in MMC refer to Chapter 5 on pg.
48.
9.2. Configuring on-demand tasks

You can configure the system on-demand scan task Full computer scan and
user-defined on-demand scan tasks.
To learn how to create a new user-defined on-demand scan task see 5.2 on pg.
50.
In order to configure an on-demand scan task:
1. Expand the On-demand scan node in the console tree.
2. Click the on-demand scan task you wish to configure in order to open it.
3. Configure the task settings: create the scan scope, if required change
the safety settings. By default system task Scan My Computer and
newly created user-defined tasks have settings listed in Table 5.
Table 5. Default settings of the Scan my computers task
Parameter Value Configuration instructions
Scan scope entire server You can create a scan area (see
In server file resource tree 9.2.1 on pg. 113).
the node Shared folders
is excluded – the Anti-
Virus scans public folders
following their actual path
to the hard drives.
Trusted zone 113
Parameter Value Configuration instructions
Security settings common for the entire You can do the following for the
scan area; matching the nodes selected in the server file
Recommended security resources tree:
level
 Select a different pre-defined
security level (see 9.2.2.1 on
pg. 120);
 Manually change security set-
tings (see 9.2.2 on pg. 120).
You can save security settings as
a template to use them later for
another node (see 9.2.2.3 on pg.
127).
Trusted zone If you selected Add to A unified list of exclusions that

exclusions threats by you can apply to the selected on-
mask not-a-virus: Remo- demand scan tasks and the Real-
teAdmin* and Add to ex- time file protection task.
clusions files recommend- Chapter 8 on pg. 99 contains
ed by Microsoft, remote information about the creation
administration Remo- and application of trusted zone.
teAdmin programs and
files recommended by
Microsoft will be excluded.
9.2.1. Scan scope in the on-demand scan

tasks
 about defining the scan area (see 9.2.1.1 on pg. 114);
 about pre-defined areas (see 9.2.1.2 on pg. 114);
 defining the scan area (see 9.2.1.3 on pg. 116);
 including the network path to the scan area (see 9.2.1.4 on pg. 117);
 how to create a virtual scan area - include dynamic drive, folder and file
(see 9.2.1.5 on pg. 118).
9.2.1.1. About defining the scan area in the on-

demand scan tasks
By default the scan area in the Full computer scan system task or in newly
created on-demand scan tasks includes the entire server. You can restrict the
scan area by only several areas on the server if there is no need to scan them all
according to the security requirements.
In the Anti-Virus console the scan area is displayed as a server file resource tree
that Anti-Virus can scan.
Server file resource tree nodes are displayed as follows:
The node is included into the scan area.
The node is excluded from the protection area.
At least one of the nodes nested in this node is excluded from the scan area
or the security parameters of the nested node differ from the security para-
meters of this node.
The names of virtual nodes of the protection area are displayed in blue color font.
9.2.1.2. Pre-defined scan scopes

In order to view the server file resource tree:
2. Select the On-demand scan task for the scan scope you want to view
to open it (see Figure 41):
Trusted zone 115
Figure 41. An example of server file resource tree in the Anti-Virus console
The results panel displays the server file resource tree. You can create a scan
scope from the objects displayed there.
The server file resource tree contains the following pre-defined areas:
 My computer: The Anti-Virus scans the entire server.
 Hard drives. Anti-Virus scans objects on the server's hard drives. You
can include into or exclude from the scan area all hard drives, individual
disks, folders or files.
 Removable drives. Anti-Virus scans objects on removable media, for
example on CDs or USB drives. You can include into or exclude from
the scan area all removable disks, individual disks, folders or files.
 System memory. Anti-Virus scans system and process memory.
 Startup objects. Anti-Virus scans objects to which register keys and
configuration files refer, for example WIN.INI or SYSTEM. INI and the
application's modules that are started automatically at the computers
startup.
 Shared folders. Anti-Virus scans all public folders on the protected
server.
 Network places. You can add network folders or files to the scan area
indicating the path to them in UNC (Universal Naming Convention) for-
mat. Account that you use to launch the task must have the access right
to the folders and files added. By default on-demand scan tasks are ex-
ecuted under the Local system (SYSTEM) account. For more details
refer to 9.2.1.4, pg. 117.
 Virtual drives. You can include into the scan area dynamic drives, fold-
ers and files as well as drives connected to the server, for example
common cluster drives (create a virtual scan area). For more details re-
fer to 9.2.1.5, pg. 118.
Note
Virtual drives created using a SUBST command are not displayed in the server
file resource tree in the Anti-Virus console. In order to scan objects on a virtual
drive, include a server folder with which this virtual drive is associated.
Connected network drive will not be reflected in the server file resource tree ei-
ther. In order to include objects on a network drives into the scan area, specify a
path to a folder corresponding to this network drive in UNC format.
9.2.1.3. Creating a scan area
If you are remotely managing the Anti-Virus on a protected server via the MMC
console installed on the administrator's workstation, you must be a member of
the local administrators group on the protected server in order to view folders on
such server.
In order to create a scan area
2. Select the on-demand task the scan scope of which you wish to create.
The server file resource tree will be displayed in the result panel. By de-
fault all areas of the protected server will be included into the scan area.
3. Perform the following actions:
 In order to select nodes that you wish to include into the scan area
uncheck the My computer box in the system on-demand scan task
and perform the following:
o if you wish to include all drives of the same type into the scan
area, check the box next to the name of the required disk type;
o if you wish to include an individual disk into the scan area, ex-
pand the node that contains the list of drives of this type and
check the box next to the name of the required drive. For ex-
ample, in order to select a removable drive F: expand node All
removable drives and check the box for drive F.
Trusted zone 117
o If you would like to include into the scan area an individual

folder on the disk, expand the server file resource tree in order
to display the required folder and check the box next to its
name. Using the same procedure you can also include files in-
to the scan area.
 in order to exclude an individual node from the scan area, expand
the server file resource tree in order to display the required node
and uncheck the box next to its name.
To read about adding to the scan scope:
 A network drive, folder or file, refer to 9.2.1.4 on pg. 117;
 A dynamic drive, folder or file, refer to 9.2.1.5 on pg. 118.
9.2.1.4. Including network drives, folders or files

into the scan area
You can add network drives, folders or files to the scan area indicating the path
to them in UNC (Universal Naming Convention) format.
In order to add the network object to the scan area:
2. Select the on-demand scan task to the scan area of which you wish to
add the network path.
3. Right-click the Network path node and select the Add network folder
or the Add network file command.
4. Enter the path to a network folder or file in UNC format and press
<ENTER>.
5. Check the box next to the added network object to include the added
network path to the scan area.
6. If required, change the security settings for the added network object
(see 9.2.2 on pg. 120).
9.2.1.5. Creating a virtual scan scope: adding

dynamic disks, folders or files to the scan
scope
You can include into the scan area dynamic drives, folders and files as well as
drives connected to the server, for example common cluster drives (create a
virtual scan area). For more details about virtual scan area refer to 6.2.1.4 on pg.
68.
You can add dynamic drives, folders or files to the virtual scan area.
In order to add a virtual drive into the scan area:
2. Select the on-demand scan task in which you wish to create a virtual
scan area in order to open the task.
3. In the result panel of the server file resource tree open the shortcut
menu on the Virtual drives node and select the name for the virtual
drive being created from the list of available names (see Figure 42).
Figure 42. Selecting name for a virtual drive being created
4. Check box next to the drive added in order to include the drive into the
scan area.
Trusted zone 119
In order to add a virtual folder or a virtual file into the scan area:
2. Click on the on-demand scan task in which you wish to create a virtual
scan area in order to open the task.
3. Open the shortcut menu on the node into which you wish to add a folder
or a file in the results panel in the server file resources tree and select
Add virtual folder or Add virtual file.
Figure 43. Adding a virtual folder
4. In the entry field specify name for folder (file). You can use a folder
name mask (file). Use special symbols * and ? for the mask.
5. In the line with the name of the folder created (or file created) check box
in order to include this folder (file) into the scan area.
9.2.2. Configuring security settings for the

selected node
You can configure security settings in the selected on-demand scan task - either
as common settings for the entire scan area or individual settings for individual
nodes in the server file resource nodes. The security settings that you configure
for the selected node will automatically be applied to all nodes nested into it.
However, if you configure security settings for a nested node separately, the se-
curity settings of the parent node will not apply to it.
You can configure settings of the selected scan area using of the following me-
thods:
 select one of the three pre-defined security levels (minimum, recom-
mended or maximum) (see 9.2.2.1 on pg. 120);
 manually change security settings of the selected nodes in the server
file resource tree (see 9.2.2.2 on pg. 123).
You can save the set of settings of the node into a template so that you could
later apply this template to other nodes (see 9.2.2.3 on pg. 127).
9.2.2.1. Selecting pre-defined security levels for

on-demand scan tasks
You can apply one of the three following security levels for the node selected in
the server file resources tree: a) maximum speed, b) recommended and c) max-
imum protection. Each of these levels has its own pre-defined set of security
settings. These settings are provided in Table 6.
Maximum Speed
You can set the Maximum Speed security level on the server if, apart from
the use of Anti-Virus on the servers and workstations, there are additional
computer security measures in your local network, for example, firewalls are
set up, network user security policies are in place.
Recommended
The Recommended security level (set by default). This security level was
admitted by Kaspersky Lab's experts to be sufficient for scanning servers in
most networks. It ensures the optimum combination of the scan quality and
speed.
Trusted zone 121
Maximum Protection
Use the Maximum Protection security level if there are no other computer
security measures in your network.
To learn how to manually configure security parameters for the selected node in
the file resource tree see 9.2.2 on pg. 120.
Table 6. Pre-defined security levels and
corresponding security settings
Security level/settings Pre-defined security level
Maximum Recommended Maximum pro-

Speed tection
Detectable objects by format all objects all objects

(see A.3.2 on pg. 360)
Scan new and mod- Enabled Disabled Disabled

ified objects only
(see section A.3.3 on
pg. 362)
Actions to be per- disinfect, delete if disinfect, delete if disinfect, delete if

formed with infected disinfection is not disinfection is not disinfection is not
objects (see A.3.5 on possible possible possible
pg. 364)
Actions to be per- isolate (quaran- isolate (quaran- isolate (quaran-

formed with suspi- tine) tine) tine)
cious objects (see
A.3.6 on pg. 366)
Excluding objects (see no no no

A.3.8 on pg. 369)
Excluding threats (see no no no

A.3.9 on pg. 370)
Maximum object scan 60 sec no no

time (see A.3.10 on pg.
372)
Security level/settings Pre-defined security level
Maximum Recommended Maximum pro-

Speed tection
Maximum composite 8 no no
object size (see A.3.11
on pg. 372)
NTFS streams scan yes yes yes

(see A.3.2 on pg. 360)
Detectable objects yes yes yes

(see (see A.3.2 on pg.
360)
Scanning composite  SFX-archives*  archives*  archives*

objects (see A.3.4 on  packed ob-  SFX-archives*  SFX-archives*
pg. 363) jects*
 packed ob-  mail databas-
 embedded jects* es*
OLE-objects*
 embedded  mail format
OLE-objects* files*
 packed ob-
jects*
 embedded
OLE-objects*
*new and mod-

ified objects only *All objects *All objects
Note
Note that scan settings Use iChecker and Use iSwift are not included into the set
of settings of the pre-defined security levels. By default these settings are
enabled. If you change the state of Use iChecker and Use iSwift, the pre-defined
security level will not change.
In order to select one of the pre-defined security levels:

1. Select the On-demand scan node in the console tree.
2. Select the on-demand scan task in which you wish configure security
level.
Trusted zone 123
3. Select the scan area node for which you wish to select the pre-defined
security level.
4. Make sure that this node is included into the scan area (see 9.2.1.1 on
pg. 114).
5. Using the Security level dialog box (see Figure 44) select a security
level you wish to apply.
The dialog box will display the list of security settings corresponding to
the security level you selected.
9.2.2.2. Configuring security settings manually

In order to configure security settings manually:
2. Select the on-demand scan task in which you wish configure security
level.
3. Select the scan area node for which you wish to configure the security
settings. Make sure that this node is included into the scan area (for
more details about defining the scan area refer to 9.2.1.3 on pg. 116).
The Security level dialog box will be then displayed in the bottom part
of the results panel (see Figure 45).
Press the Settings button in order to open the Security settings dialog
box.
Note
You can open the Security Settings dialog box for the selected node in
the file resource node by right-clicking this node and selecting Properties.
4. In the Security Settings dialog box configure the required security set-
tings for the selected node in accordance with your requirements.
 In the General tab (see Figure 46) perform the following actions:
o Under the Scan scope heading, indicate whether the Anti-
Virus will scan all objects in the scan area or only objects with
certain formats or extensions and whether it will scan disk boot
Trusted zone 125
sectors and master boot records and alternative NTFS streams

(see A.3.2 on pg. 360);
o under the Productivity heading specify whether Anti-Virus will
scan all objects within the selected area or only new and mod-
ified objects (see section A.3.3 on pg. 362);
o Under the Process compound objects heading, indicate
which composite objects will be scanned by the Anti-Virus (see
A.3.4 on pg. 363).
Figure 46. The Security Settings dialog box of the On-demand scan task, the General
tab
 In the Actions tab (see Figure 47) perform the following actions:
o Actions to be performed with infected (see A.3.5 on pg. 364);
o Actions to be performed with suspicious objects (see A.3.6 on
pg. 366);
o Actions to be performed with objects depending on the threat
type (see A.3.7 on pg. 368).
Figure 47. The Security Settings dialog box of the On-demand scan task, the Actions
tab
 Using the Performance tab (see Figure 48) perform the following
actions, if necessary:
o Excluding objects (see A.3.8 on pg. 369);
o Excluding (see A.3.9 on pg. 369);
o Maximum time of the object scan (see A.3.10 on pg. 372);
o Maximum composite detectable object size (see A.3.11 on
pg. 372);
o Using iChecker technology (see A.3.12 on pg. 373);
o Using iSwift technology (see A.3.13 on pg. 374).
Trusted zone 127
Figure 48. The Security Settings dialog box of the On-demand scan task, the
Performance tab
5. After you have configured the required security settings, open the short-
cut menu on the task name and select the Save command in order to
save the changes in the task.
9.2.2.3. Working with templates in on-demand

scan tasks

 Saving security settings to a template (see 9.2.2.3.1 on pg. 128);
 Viewing security settings in a template (see 9.2.2.3.2 on pg. 129);
 Applying a template (see 9.2.2.3.3on pg. 130);
 Deleting a template (see 9.2.2.3.4 on pg. 131).
9.2.2.3.1. Saving security settings to a template
After you have configured settings of any node in the server file resource tree in
an on-demand scan task, you can save this set of settings into a template in or-
der to apply it to other node in the same task or other on-demand tasks.
In order to save a set of security settings into a template:
1. Select On-demand scan in the console tree.
2. Select on-demand scan task security settings of which you wish to save
into the template.
3. In the server file resource tree select a scan area node the set of set-
tings of which you wish to save.
4. In the General tab of the Settings dialog box press the Save to tem-
plate button.
5. In the Template properties dialog box (see Figure 49) select the fol-
lowing actions:
 Enter the template name in the Template name field.
 Enter additional template information in the Description field.
Figure 49. The Template properties dialog box
6. Press OK. Template with the set of the parameter values will be saved.
Trusted zone 129
9.2.2.3.2. Viewing security settings in a template
To view security settings in a template that you have created:

1. Open the context menu on the On-demand scan node and select the
Templates command (see Figure 50).
Figure 50. The Templates dialog box
The Templates dialog box displays a list of templates that you can ap-
ply to on demand scan tasks.
2. To view the information and security settings in a template, select the
template from the list and click the View button (see Figure 51).
Figure 51. The <Template name> dialog box, Settings tab
The General tab displays the template name and additional information
about a template; The Settings tab lists the security settings saved in
the template.
9.2.2.3.3. Applying a template
In order to apply a template with security settings:

1. First save the security settings to a template (see 9.2.2.3.1 on pg. 128).
3. Select an on-demand scan task in which you wish to apply security set-
tings.
4. In the server file resource tree right-click on the node to which you wish
to apply the template and select Apply template → List of templates.
5. Use the list of templates to select the template to apply.
Trusted zone 131
6. To save the changes press OK in the Security Settings dialog box.
Note
If you apply a template to a parent node, the security parameters from the tem-
plate will be also applied to all nested nodes except those for which you have
configured security parameters separately.
In order to apply the security settings from the template to all nested nodes, be-
fore you apply the template, you must uncheck the parent node in the server's
file resources tree and then - check it again. Apply the template to the parent
node. All nested nodes will have the same security settings as the parent node.
9.2.2.3.4. Deleting a template
To delete a template:
1. Open the context menu on the On-demand scan node and select the
Templates command (see Figure 50).
2. In the Templates dialog box, select the template from the template list
that you want to delete and click the Delete button.
3. Click Yes in the confirmation window. The selected template will be de-
leted.
9.3. Running a background on-

demand scan task
By default the processes in which the Anti-Virus tasks are executed are assigned
base priority Medium (Normal).
You can assign the process that will run an on-demand scan task a Low priority.
Demoting the process priority increases the time required to execute the task,
but it may have a beneficial effect on the execution speed of the processes of
other active applications.
Several background tasks can be running in one working process with low priori-
ty. You can indicate the maximum number of processes to run background on-
demand scan tasks (see A.1.3 on pg. 342).
You can specify the task priority when you create it or later in the Task proper-
ties dialog box.
In order change the priority of an on-demand scan task:
2. Open the shortcut menu on the on-demand scan task the priority of
which you wish to change and select Properties.
A Scan My Computer Properties dialog box will open (see Figure 52).
Figure 52. The Scan My Computer Properties dialog box
3. Perform one of the following actions on the General tab:

 in order to enable the background task execution mode check the
Execute task in the background box;
 in order to disable the background task execution mode, uncheck
the Execute task in the background box.
Note
If you enable or disable the background mode for a running task, the task priority
will not change immediately. Instead it will change next time this task is run.
Trusted zone 133
9.4. On-demand scan task statistics

While an on-demand scan task is being executed you can view information about
the number of objects processed by Anti-Virus since it was started until the cur-
rent moment in the Statistics dialog box.
If you pause a task, its statistics will be available in the Statistics dialog box.
After the task is completed or stopped you can view the task statistics in the de-
tailed report about the task events (see 13.2.4 on pg. 191).
In order to view an on-demand scan task statistics:
2. Open the shortcut menu the on-demand scan task which statistics you
wish to view and select Statistics (see Figure 53).
Figure 53. The Task execution status dialog box
The following information about objects processed by Anti-Virus since it was

started until the current moment will be displayed in the Task execution
status dialog box:
 In the Application Integrity Control task
Field Description
Modules with breached inte- Number of modules with breached integrity

grity If modules with breached integrity are de-
tected, restore Anti-Virus. For instructions see
document Kaspersky Anti-Virus 6.0 for Win-
dows Servers Enterprise Edition. Installation
Guide.
Total number of modules The total number of verified modules.

verified
 in tasks Full computer scan, Scan at the system startup, Scan Qua-
rantine and user-defined on-demand scan tasks:
Field Description
Threats detected The number of threats detected; for example,

if Anti-Virus detects one malware program in
five objects, the value in this field will be in-
cremented by one
Infected objects detected total number of infected objects detected
Suspicious objects detected total number of suspicious objects detected
Objects not disinfected the number of objects that Anti-Virus did not
disinfect because: а) the type of the threat
contained in the object does not provide for
disinfection; b) objects of this type cannot be
disinfected; c) an error occurred during the
disinfection
Objects not quarantined number of objects that Anti-Virus must have

quarantined, but was unable to do it due to an
error, for example due to insufficient disk
space
Objects not deleted number of objects that Anti-Virus attempted

but was unable to delete, because, for exam-
ple, access to the object was blocked by
another program
Trusted zone 135
Field Description
Objects not scanned number of objects in scan scope that Anti-

Virus failed to scan because, for example,
access to the object was blocked by another
program
Objects not backed up number of files copies of which Anti-Virus at-

tempted to save to Backup but was unable to
due to an error
Scan errors number of objects during processing of which

Anti-Virus encountered error.
Objects disinfected number of objects disinfected by Anti-Virus
Objects quarantined number of objects quarantined by Anti-Virus
Objects backed up number of files copies of which Anti-Virus

saved to Backup
Objects deleted number of objects deleted by Anti-Virus
Password protected objects number of objects (for example archives) that

Anti-Virus skipped as they were password-
protected
Corrupted objects number of objects skipped by Anti-Virus as

their format is corrupted
Objects scanned total number of objects scanned by the Anti-

Virus
CHAPTER 10. UPDATING ANTI-
VIRUS BASES AND
APPLICATION MODULES

 about updating of the Anti-Virus bases (see 10.1on pg. 136);
 about updating of the application modules (see 10.2 on pg. 138);
 schemes for updating bases and application modules of the Anti-Virus
applications used within the organization (see 10.3 on pg. 139);
 description of the updating tasks (see 10.4 on pg. 143);
 configuring updating tasks:
 selecting the update source, configuring connection with the update
source, specifying the location of the protection server in the up-
date tasks (see 10.5.1 on pg. 145);
 configuring the settings of the Updating application modules task
(see 10.5.2 on pg. 150);
 configuring the settings of the Updates distribution task (see 10.5.3
on pg. 152);
 statistics of the updating tasks (see 10.6 on pg. 153);
 Anti-Virus database update rollback (see 10.7 on pg. 154);
 application modules update rollback (see 10.8 on pg. 154).
10.1. About updating Anti-Virus

bases
Anti-Virus bases stored on the protected server soon become outdated. Kas-
persky Lab's Anti-Virus analysts detect hundreds of new threats on a daily basis,
create records that identify them and include them into the database updates.
(Database updates are one or several files containing records identifying threats
that were detected during the time since the previous update was created). In
order to maintain protection of servers at the required level, we recommend that
Updating Anti-Virus bases and application modules 137
you receive database updates regularly. In order to minimize the server infection
risk, download bases updates on a regular basis.
By default if, if Anti-Virus database are not updated within a week after the mo-
ment the latest installed bases updates were created, a Bases obsolete event
occurs and if the bases are not updated within two weeks, a Bases outdated
event will occur (information about bases up-to-date status will be displayed in
the Statistics node, see section 13.4 on pg. 203) You can specify the number of
days before these events occur using general Anti-Virus settings (see 3.2 on pg.
40) and configure administrator notifications about these events (see 15.2 on pg.
216).
You can update bases from Kaspersky Lab's FTP or HTTP update servers or
from other update sources using Anti-Virus task Application database update.
Details about task Application database update see 10.4 on pg. 143.
You can download updates to each protected server or use one computer as an
intermediary by copying all updates onto it and then distributing them to the
servers. And if you use Kaspersky Administration Kit application for the centra-
lized administration of protection of computers in a company, you can use Kas-
persky Administration Kit administration server as an intermediary for download-
ing updates. In order to copy bases to the intermediary computer without using
them, use the Updates Distribution task. More details about this task see 10.4
on pg. 143.
You can launch the database update tasks manually or using a schedule (To
learn how to configure a task schedule see 5.7 on pg. 53).
If the update downloading process is interrupted or results in an error, the Anti-
Virus will automatically switch back to using bases with the latest installed up-
dates. If the Anti-Virus bases become corrupted you can manually roll them back
to the previously installed updates (see 10.7 on pg. 154).
Note
If you do not have internet access you can receive update files on diskettes or
CD from our partners. You can view information about the partner you have
purchased your copy of Anti-Virus from in the properties of the installed key of
the Anti-Virus console. You can also call our central office in Moscow at
+7 (495) 797-87-07, +7 (495) 645-79-29 or +7 (495) 956-87-08 for the address
of the our partner located closest to you (support is provided in Russian and
English).
10.2. About updating application

modules
Kaspersky Lab can issue update packages for Anti-Virus application modules.
The update packages can be urgent (or critical) and scheduled. Critical update
packages repair vulnerabilities while scheduled packages add new functions or
enhance existing functions.
Urgent (critical) update packages are uploaded to the Kaspersky Lab's update
servers. You can download them automatically and install them by configuring
the Application modules update task.
Kaspersky Lab does not publish scheduled update packages on the update
servers for automatic installation; you can download them from Kaspersky Lab's
website. Using the Application modules update task you can receive informa-
tion about the release of scheduled Anti-Virus updates.
You can urgent download updates from the Internet to each protected server or
use one computer as an intermediary by copying all updates onto it and then
distributing them to the servers. In order to copy and save updates without instal-
ling them use the Updates Distribution task. For more details about this task
see 10.4 on pg. 143.
Before you install updates of application modules Anti-Virus creates backup cop-
ies of the previously installed modules. If the application modules updating
process is interrupted or results in an error, Anti-Virus will automatically return to
the use of the previously installed application modules. Additionally, you can roll
back application modules manually (see 10.8 on pg. 154).
During the installation of downloaded updates Anti-Virus service automatically
stops and then restarts.
Note
If you do not have internet access you can receive update files on diskettes or
CD from our partners. You can view information about the partner you have
purchased your copy of Anti-Virus from in the properties of the installed key of
the Anti-Virus console. You can also call our central office in Moscow at
+7 (495) 797-87-07, +7 (495) 645-79-29 or +7 (495) 956-87-08 for the address
of the our partner located closest to you (support is provided in Russian and
English).
10.3. Schemes for updating bases

and application modules of the
Anti-Virus applications used
within the organization
You choice of the update source in the update tasks depends on the bases and
application modules update scheme you use within your organization.
You can update Anti-Virus bases and modules on the protected servers using
the following schemes:
 download updates directly from the Internet to each protected server
(Scheme 1);
 download updates from the Internet to an intermediary computer and
distribute updates to the servers from it.
Any computer with the software listed below installed can serve as an
intermediary computer:
 Anti-Virus (one of the protected servers) (Scheme 2);
or
 Kaspersky Administration Kit administration server (Scheme 3).
Updating using an intermediary computer will allow to decrease internet
traffic and it will also ensure additional security of the servers.
Description of the update schemes listed is provided below.
Scheme 1. Updating directly from the Internet

Configure the Updating application bases (Updating application mod-
ules) task on each protected server. Specify Kaspersky Lab's update serv-
ers as the update source. Configure task schedule.
You can specify other HTTP or FTP servers containing the folder with the
update files as the update source.
Figure 54. Updating directly from the Internet
Scheme 2. Updating from one of the protected servers

Updating that uses this scheme (see Figure 55) includes the following steps:
Step 1. Copying updates to the selected protected server
Configure the Updates distribution task on the selected server. Specify
Kaspersky Lab's update servers as the update source. Specify a folder into
which updates will be saved: it must be a public folder.
Using this task you can receive updates not only for the protected server but
also for the computers in the local area network with other Kaspersky Lab's
applications of version 6.0 installed (for example, Kaspersky Anti-Virus 6.0
for Windows Workstations).
Step 2. Distribution of updates to the rest of protected servers.
Configure the Application database update (Application modules update)

task on each protected server. In this task specify a folder on the intermediary
computer's drive into which you downloaded updates as the updates source.
Figure 55. Updating from one of the protected servers
Scheme 3. Updating via Kaspersky Administration Kit administration serv-

er
If you use Kaspersky Administration Kit application for centralized adminis-
tration of the Anti-Virus computer protection, you can download updates via
the Kaspersky Administration Kit administration server (see Figure 56).
Figure 56. Updating via Kaspersky Administration Kit administration server
Updating that uses this scheme includes the following steps:

Step 1. Downloading updates from the Kaspersky Lab's update servers to
the Kaspersky Administration Kit administration server.
Configure global task Receiving updates by Administration server. Spe-
cify Kaspersky Lab's update servers as the update source.
Using this task you can receive updates not only for the protected servers
but also for the computers in the local area network with other Kaspersky
Lab's applications of version 6.0 installed (for example, Kaspersky Anti-Virus
6.0 for Windows Workstations).
Step 2. Distribution of updates to the protected servers
Distribute updates on protected serves using one of the following methods:
 Configure on the Kaspersky Administration Kit Administration Server an
Anti-Virus bases (application module) update group task for distributing
updates to the protected servers; in the task schedule specify the
launch frequency Upon receiving updates by Administration server.
The Administration Server will launch the task each time it receives up-
dates (this is the recommended method).
Configure task schedule. You can specify launch frequency option After
receiving updates by Administration server. The task will be
launched each time the Administration Server receives bases updates.
Note
You cannot specify launch frequency After receiving updates by Ad-
ministration server in the Anti-Virus console in MMC.
 Configure the Application database update (Application modules

update) task on each of the protected servers and select the Kaspersky
Administration Kit administration server as the update source in this
task. Configure task schedule.
If you plan to use Kaspersky Administration Kit administration server for dis-
tributing updates, install onto each of the protected servers Network Agent,
an application component included into the installation package of Kas-
persky Administration Kit. It ensures interaction between the Administration
Server and Anti-Virus on the protected server. For more details about the
Network Agent and its configuration using Kaspersky Administration Kit see
document Kaspersky Administration Kit. Administrator's Guide.
10.4. Updating tasks

There are four pre-defined system updating tasks in Anti-Virus: Updating data-
base; Updating application modules, Updates distribution and Database
rollback (see Figure 57).
Figure 57. Updating tasks in the Anti-Virus console window

Application database update

Anti-Virus copies bases from the update source to the protected server
and immediately starts using them in the running real-time security and
on-demand scan tasks.
By default Anti-Virus starts the Application database update task every
hour; it connects with the update source, one of the Kaspersky Lab up-
date servers, by automatically detecting the proxy server settings from the
network without authenticating the proxy server when it accesses it.
Application modules update
Anti-Virus copies updates of its application modules from the update
sources to the protected server and installs them. In order to start using
installed application modules computer restart may be required.
Weekly, Fridays at 16:00 (time in the format established by the regional
settings of the protected server), Anti-Virus will run the Application mod-
ules update task to check for available patches and upgrades of Anti-
Virus modules without downloading them.
Updates distribution
Anti-Virus downloads database and application module update files and
saves them to the specified network or local folder without applying them.
Database update rollback
The Anti-Virus returns to the use of the bases with previously installed
bases.
Please, refer to section 10.5 on pg. 144 for details on configuration of update
tasks.
Note
You can stop the updating tasks, however you cannot pause them.
For managing tasks in the Anti-Virus refer to 5.6 on pg. 53.
10.5. Configuring updating tasks

This section contains a description of how you can perform the following actions
in the updating tasks:
 select the update source, configure connection with the update source,
specify the location of the protection server to optimize the updates
downloading process (see 10.5.1 on pg. 145);
 configure the settings of the Updating application modules task (see

10.5.2 on pg. 150);
 configure the settings of the Updates distribution task (see 10.5.3 on pg.
152).
10.5.1. Selecting the update source,

configuring the connection with the
update source and regional settings
In each updating task you can specify one or several update sources, configure
the connection with the sources and specify the location of the protected server
for optimization of the updates (regional settings).
In order to configure the update settings:
1. Select Update in the console tree.
2. Open the shortcut menu on the update task for which you wish to confi-
gure the update source and select Properties.
Using the tabs of the Task properties dialog box configure the required
update settings based on your requirements.
3. Using the General tab (see Figure 58), select the source from which
you wish to receive updates (for more details refer to A.5.1 on pg. 381).
Figure 58. The Task properties dialog box, General tab
4. If you select Custom HTTP, FTP-servers or network folders, add one

or several user-defined update sources. In order to specify the source,
press the Change button and using the Update Servers dialog box
(see Figure 59) press the Add button, then using the entry field specify
the address of the folder with the update files on FTP- or HTTP- server;
specify a local or a network folder in the UNC (Universal Naming Con-
vention) format. Press the OK button.
You can enable or disable added user-defined sources: in order to dis-
able a source you added uncheck the box in the list next to it; in order to
enable a source; check the box in the list next to it.
In order to change the order of Anti-Virus calls to the user-defined files,
use the Up and Down buttons to move the selected source to the be-
ginning or to the end of the list depending on whether you wish to use it
before or after other sources.
Figure 59. Adding user-defined update sources
In order to change path to the source select the source in the list and
press the Change button, make the required changes in the entry field
and press the <Enter> key.
In order to remove a source, select it in the list and press the Delete
button. The source will be deleted from the list.
5. In order to use Kaspersky Lab's update servers to download updates if
the user-defined sources are unavailable, check the Use Kaspersky
Lab's update servers if custom servers or network folders are not
accessible.
6. Using the Connection Settings tab (see Figure 60) configure the con-
nection with the update source.
Figure 60. The Task properties dialog box, Connection settings tab
Perform the following actions:

 specify the FTP server mode for connection to the protected server
(see A.5.2 on pg. 382);
 if required, change the update source connection timeout (see
A.5.3 on pg. 383);
 if access to the proxy server is required for downloading updates
from one of the specified sources, describe the proxy server access
settings:
o the use of a proxy server for connection to various update
sources (see A.5.4.1 on pg. 384);
o address of a proxy server (see A.5.4.2 on pg. 385);
o authentication method when accessing the proxy server (see

A.5.4.3 on pg. 385).
7. Using the Regional Settings tab (see Figure 61), select from the Loca-
tion list the country where the protected server is located (for more de-
tails about this setting refer to A.5.5 on pg. 387).
Figure 61. The Task properties dialog box, the Regional settings tab
8. After you have configured the required settings, press the OK button to
save changes.
10.5.2. Configuring Updating application

modules task settings
In order to configure the settings of the Application modules update task:
2. Right-click the Updating application modules task and select Properties.
3. In the Properties: Application Modules Update specify the updates
source and the settings used to connect to it (see instruction in section
10.5.1 on pg. 145).
4. On the General tab (see Figure 62) select whether you wish to down-
load and install the updates or only check for their availability (for more
details about this setting refer to A.5.6.1 on pg. 388).
Figure 62. The Application modules update Properties dialog box, the
General tab
5. If you want Anti-Virus to automatically restart the server if restart is re-

quired to apply installed application modules, check the Allow system
reboot box.
6. If you wish to receive information about the release of scheduled Anti-
Virus updates, check the Receive information about available appli-
cation modules updates box.
Kaspersky Lab does not publish scheduled update packages on the up-
date servers for automatic updating; you can download them manually
from Kaspersky Lab's website. You can configure administrator notifica-
tion about event Scheduled Anti-Virus updates available, which will con-
tain the URL of our site from which you can download scheduled up-
dates (for more details about the notification refer to 15.2 on pg. 216).
10.5.3. Configuring Download updates task

settings
In order to configure Updates distribution task settings:
2. Right-click the Updates distribution task and select Properties.
3. In the Properties: Updates distribution dialog box (see Figure 63)
specify the update source and settings used to connection to it (see in-
struction in section 10.5.1 on pg. 145).
Figure 63. The Updates distribution Properties dialog box, the General tab
4. On the General tab specify the scope of the updates to be downloaded

in the specified folder (for more details about this setting refer to A.5.7.1
on pg. 389).
5. Specify a local or a network folder into which the Anti-Virus will save the
downloaded updates (for more details about this setting refer to
A.5.7.2on pg. 390).
10.6. Updating task statistics

While the updating task is running you can view in real time information about the
amount of data downloaded since the task has been launched until the current
moment - task execution statistics.
Information in the Statistics dialog box will be available if you pause. After the
task is completed or stopped you can view this information in a detailed report
about events in the task (see 13.2.4 on pg. 191).
In order to view the updating task statistics:
1. Expand the Update node in the console tree.
2. Right-click the required task and select Statistics.
The amount of data downloaded by the Anti-Virus as of the current moment (Re-
ceived data) will be indicated in the Task execution status dialog box for the
Application database update and Updates distribution tasks.
The Update application modules Task execution status dialog box displays
the following information:
Field Description
Downloaded data Total amount of downloaded data
Available critical updates Number of critical updates available for instal-

lation
Available planned updates Number of scheduled updates available for

installation
Errors applying updates If the value of this field is not zero, the update
was not applied. You can view the name of
the update which cased an error when was
attempted to apply in the detailed task execu-
tion report.
10.7. Rolling back Anti-Virus

database updates
Before applying database updates Anti-Virus creates backup copies of the bases
currently in use. If the update has been interrupted or has resulted in an error,
Anti-Virus will automatically return to the use of the previously installed bases.
If you encounter any problems after the database update you can roll the bases
back to the previous installed bases by starting the Rollback update task.
10.8. Rolling back application

modules update
Before you apply updates of application modules Anti-Virus creates backup cop-
ies of the version modules currently in use. If the modules updating process has
been interrupted or has resulted in an error, Anti-Virus will automatically return to
the use of the modules with the latest installed updates.
You can roll back application modules manually back to the previously installed
updates.
In order to roll back the application modules use the Microsoft Windows compo-
nent Add and remove programs.
CHAPTER 11. ISOLATION OF
SUSPICIOUS OBJECTS.
USING QUARANTINE

 about isolation of suspicious objects (see 11.1 on pg. 155);
 viewing quarantined objects, sorting and filtering objects (see 11.2 on
pg. 156);
 scanning quarantined objects (on-demand or automatically after each
bases update (see 11.3 on pg. 160);
 restoration of objects from quarantine (see 11.4 on pg. 162);
 manual quarantining of objects (see 11.5 on pg. 166);
 deletion of quarantined objects (see 11.6 on pg. 166);
 sending suspicious objects from quarantine to Kaspersky Lab for analy-
sis (see 11.7 on pg. 167);
 configuring quarantine settings (see 11.8 on pg. 169);
 quarantine statistics (see 11.9 on pg. 171).
Description of the Quarantine settings is provided in section A.6 on pg. 391.
11.1. About isolation of suspicious

objects
Anti-Virus isolates objects that it finds suspicious by placing them into quarantine
- moving them from their original location into a special folder where, for security,
they are stored in the encrypted form. (For more details on how Anti-Virus finds
objects suspicious see 1.1.3 on pg. 17).
11.2. Viewing quarantined objects

You can view quarantined objects in the Quarantine node of the Anti-Virus con-
sole.
To view quarantined objects, select the Quarantine node from the console tree
(see Figure 64).
In order to find the required object in the list of quarantined objects, you can sort
objects (see 11.2.1 on pg. 158) or filter the objects (see 11.2.2 on pg. 159).
Figure 64. Information about quarantined object in the Quarantine node
The following information is displayed in the results panel for each quarantined
object:
Isolation of suspicious objects. Using quarantine 157
Field Description
Object Name of the quarantined object
Result Status of a quarantined object may have the following val-

ues:
 Warning. Object has been found suspicious by the heu-
ristic code analyzer.
 Suspicious. Object has been found suspicious - partial
coincidence of a section of the object's code with a sec-
tion of the code of a known threat has been detected.
 Infected. Object has been found infected - full coinci-
dence of a section of the object's code with a section of
the code of a known threat has been detected.
 False alarm. The Anti-Virus placed an object into the
quarantine as suspicious or you quarantined such object
manually, but based on the result of the quarantined
scan using updated bases the Anti-Virus found that the
object is not infected.
 Disinfected. Anti-Virus placed an object to quarantine
as suspicious or you quarantined such object manually,
but during the quarantine scan using updated database
the Anti-Virus found the object infected and disinfected
it. You can safely restore the object.
 Added by the user. Object is quarantined by the user.
Danger level The threat level indicated how harmful the object is for the
server. The severity level depends on the class of the
threat contained in the object and may assume the follow-
ing values (for more information about threat classes refer
to 1.1.2 on pg. 14).
 High. The object may contain a threat of the following
classes "network worms", "classic viruses", "Trojan
horses", or a threat of an undefined class (this class in-
cludes new viruses currently not referred to any known
class);
 Medium. The object may contain a threat of class "other
malware", "adware" or "pornware";
 Low. The object may contain a threat of class "risk-
ware".
 Information. Object is quarantined by the user.
Field Description
Threat type The threat type according to Kaspersky Lab's classification,

included into the full name of the threat returned by Anti-
Virus when Anti-Virus finds the object suspicious or in-
fected.
Threat name The threat name according to Kaspersky Lab's classifica-

tion, included into the full name of the threat in the object
returned by Anti-Virus when Anti-Virus finds the object sus-
picious or infected. You can view the full name of the threat
in node Reports.
Date of place- Date when the object was quarantined

ment
Source path Full path to the original object location, for example to the
folder from which the object was moved to the quarantine
folder, file contained in the archive or .pst file in the mail
database.
Size Object size
User name This column displays the following data:

 if the object was isolated by Anti-Virus in the Real-Time
File Protection task - the name of the account using
which the application accessed the object at the moment
of interception;
 if the object was isolated by Anti-Virus in an on-demand
scan task - the name of the account using which the task
was executed;
 if the user quarantined the object manually - the account
name of this user.
11.2.1. Sorting quarantined objects

By default the objects in the list of quarantined objects are sorted by the date
when they were quarantined in the reverse chronological order. In order to find a
required object you may sort objects by the content of the columns with informa-
tion about the objects. The result of the sorting will be saved if you leave and
then open the Quarantine node again or if you close the Anti-Virus console,
save the msc file and then open it again from this file.
In order to sort objects:

1. Select the Quarantine node in the console tree.
2. In the result panel click the column heading by which you wish to sort
the events.
11.2.2. Filtering quarantined objects

To find a required quarantined object you can filter objects in the list - display
only those object that satisfy the filtering criteria (filters) that you specify. The
result of the filtering will be saved if you leave and then open the Quarantine
node again or if you close the Anti-Virus console, save the msc file and then
open it again from this file.
To specify one or several filters:
1. Open the shortcut menu on the Quarantine node in the console tree
and select Filter.
The Filter settings dialog box will open (see Figure 65).
Figure 65. The Filter settings box
2. To add a filter:
a) In the Field name list select a file to which the filter value will be
compared.
b) In the Operator list select the filtering condition. The values of the
filtering conditions in the list may differ depending on the value you
have selected in the Field name list.
c) Enter the filter value in the Field value field or select it from the list.
d) Press the Add button.
The filter you have added will appear in the list of filters in the Filter
settings dialog box. Repeat these actions for each filter you wish
to add. If you specify several filters they will be combined using log-
ical "AND".
 In order to delete a filter, select the filter you wish to delete in the filter
list and press the Delete button.
 In order to edit a filter, select the filter in the list displayed in the Filter
settings dialog box. Then change the required values in the Field
name, Operator or Field value fields and press the Replace button.
3. After you added all filters, press the Apply button.
In order to display all objects in the list of guarantied objects again, open the
shortcut menu on the Quarantine node in the console tree and select Remove
Filter.
11.3. Scanning quarantined objects.

The Scan Quarantine task
settings
By default, each time after the database is updated, the Anti-Virus executes the
Scan Quarantine system task. Task settings are described in Table 7 You can-
not modify them.
You can modify the schedule for the Scan Quarantine task or start it manually.
After scanning of the quarantined objects with updated bases the Anti-Virus may
find some objects not infected: the status of such objects will change to False
alarm. Other objects can be found infected by the Anti-Virus and the Anti-Virus
may perform with this objects actions specified by the Scan Quarantine on-
demand scan task's settings: disinfect, delete if disinfection is not possible.
Table 7. The Scan quarantine task settings
The Scan quarantine task settings Value
Scan scope Quarantine folder
Scan settings Common for the entire scan area; their

values provided in Table 8.
Table 8. Scan settings in the Scan quarantine task
Parameter Value
Detectable objects (see A.3.2 on all objects

pg. 360)
Scanning of new and modified Disabled

objects only (see section A.3.3 on
pg. 362)
Actions to be performed with in- disinfect, delete if disinfection is not poss-

fected objects (see A.3.5 on pg. ible
364)
Actions to be performed with sus- skip

picious objects (see A.3.6 on pg.
366)
Excluding objects (see A.3.8 on pg. no

369)
Excluding threats (see A.3.9 on pg. no

370)
Maximum object scan time (see no

A.3.10 on pg. 372)
Maximum size of the object to be no

scanned (see A.3.11 on pg. 372)
NTFS streams scan (see A.3.2 on yes

pg. 360)
Scan of boost sectors (see A.3.2 no

on pg. 360)
Parameter Value
The use of iChecker technology disabled

(see A.3.12 on pg. 373)
The use of iSwift technology (see disabled

A.3.13 on pg. 374)
Scanning composite objects (see  archives*

A.3.4on pg. 363)
 SFX-archives*
 packed objects*
 embedded OLE-object
* Scanning New and modified objects
only is disabled
11.4. Restoring objects from

quarantine
Anti-Virus places suspicious objects into the quarantine folder in the encrypted
form to protect the protected server against their possible harmful effect.
You can restore any object from the quarantine. This may be required in the fol-
lowing cases:
 if after the quarantine scan using the updated database the status of the
object changed to False alarm or Disinfected;
 if you consider the object harmless for the server and wish to use it. If
you do not wish Anti-Virus to isolate this object during the subsequent
scans you can exclude this object from the processing in the Real-time
file protection task and in the on-demand scan tasks. In order to do it
specify the object as the value of the Excluding objects (by filename)
security parameter (see A.3.8 on pg. 369) or Excluding threats (see
A.3.9 on pg. 370) in these tasks.
When you restore objects you can select where the objects being restored will be
saved: to the original location (by default), to a special folder for restored objects
on the protected server or to the folder specified by you in the computer on which
Anti-Virus console is installed or on another computer in the network.
A folder for restoration is designed for storing restored objects on the protected
server. You can set special security parameter to scan it. Path to this folder is set
by the quarantine settings (see 11.8 on pg. 169).
Attention!
Restoring objects from the quarantine may lead to computer infection.
Note
If a quarantined object was contained in a composite object (for example in an
archive), the Anti-Virus will not include into this composite object during the
restoration, rather it will save separately into a selected folder.
You can restore the object and save its copy in the quarantine folder to use it
later, for example in order to rescan the object after the database has been up-
dated.
You can restore one or several objects.
In order to restore objects from the quarantine:
2. Perform one of the following actions in the result panel:
 in order to restore an object right-click the object you wish to re-
store and select Restore.
 in order to restore several objects select the objects you wish to re-
store using the <Ctrl> key or <Shift> key, right-click one of the se-
lected objects and select Restore.
A Object restoration dialog box will open (see Figure 66).
Figure 66. The Object restoration dialog box

3. In the Object restoration dialog box specify folder into which the object
being restored will be saved for each of the selected object. (The name
of the object is displayed in the Object field in the upper part of the di-
alog box. If you selected several objects, the name of the first object in
the list of selected objects will be displayed).
Perform one of the following actions:
 in order to restore an object to the original location select Restore
to the source folder on the server or to selected network fold-
er.
 in order to restore an object into the folder specified as the folder
for restored objects in the quarantine settings (see A.6.4 on pg.
394) select Restore to the server folder for restoration by de-
fault;
 in order to save an object to another folder on a computer on which
the Anti-Virus console is installed or in the network folder, select
Restore to folder on your local computer or on the network re-
source and then select the required folder or specify path to it.
4. If you wish to save a copy of the object in the quarantine folder after this
objects is restored, uncheck the Delete objects from storage after
they are restored box.
5. In order to apply the specified restoration conditions to the rest of the
selected objects, check the Apply to all selected objects box.
All selected objects will be restored and saved to the location you have
specified: if you selected Restore to the source folder on the server
or to selected network folder, each of the objects will be saved into its
original location if you selected Restore to the server folder for resto-
ration by default or Restore to folder on your local computer or on
the network resource - all objects will then be saved into one specified
folder.
Anti-Virus will start restoring the first of the selected objects.
7. If an object with this name already exists in the specified location, an
Object with such name already exists dialog box will open
(see Figure 67):
Figure 67. The Object with such name already exists dialog box
a) Select one of the following actions:

o Replace, in order to restore an object instead of the existing
one;
o Rename, to save the restored object under a different name. In
the entry field enter a new object's filename and full path to it;
o Rename by adding suffix, to rename the object by adding a
suffix to its filename. Enter suffix into the entry field.
b) If you selected several objects to be restored, then in order to apply
the selected action Replace or Rename by adding suffix to the
rest of the selected objects, check the Apply to all objects box. (If
you specified Rename, then the Apply to all objects box will not
be available).
The object will be restored; information about the restoration opera-
tion will be entered into the system audit log.
If you did not select option Apply to all objects in the Restoring
objects dialog box, this dialog box will open again. Using this di-
alog box you can specify the location into which next selected ob-
ject will be saved (see Step 3 of this procedure).
11.5. Quarantining files

You can quarantine files manually.
In order to quarantine a file:
1. Right-click the Quarantine node in the console tree and select Add ob-
ject.
2. In the Open file dialog box select files on the disk that you wish to qua-
rantine and press the OK button.
Note
If files that you wish to quarantine are stored in one folder then in the
Open file dialog box you can select several files using the <Ctrl> or
the <Shift >key.
The Anti-Virus will quarantine the selected file(s).

3. Perform the following actions in the dialog box with the name of the first
selected file (if you wish to apply the action to all selected files, check
the Apply to all selected objects box):
 in order to save the file in the original location press the Save but-
ton;
 in order to delete the file from the original location press the Delete
button.
11.6. Deleting objects from

quarantine
According to settings of the Scan Quarantine task (see 11.3 on pg. 160) Anti-
Virus deletes from the quarantine folder objects the status of which has changed
to Infected during the quarantine scan using updated database and which Anti-
Virus was unable to disinfect. Other objects are not deleted from the quarantine.
You can manually delete one or several objects from the quarantine.
To delete one or several objects:
 in order to delete an object right-click the object you wish to delete

and select Delete object.
 in order to delete several objects select the objects you wish to de-
lete using the <Ctrl> key or <Shift> key, right-click one of the se-
lected objects and select Delete object.
3. In the Confirmation dialog box press the Yes button to confirm the op-
eration.
11.7. Sending suspicious object to

Kaspersky Lab for analysis
If the behavior of a file gives you a reason to suspect that it contains a threat,
and Anti-Virus considers this file clean, you may have encountered a new un-
known threat, algorithm for disinfecting which has not yet added to the bases.
You can send this file for analysis to the Kaspersky Lab. Kaspersky Lab's Anti-
Virus analysts will analyze it and, if they detect a new threat in it, they will add a
record identifying it to the bases. It is likely that when you rescan the object after
the database has been updated Anti-Virus will find this object infected and will be
able to disinfect it. You will not only be able to save the object, but also to pre-
vent the virus outbreak.
You can send for analysis only files from quarantine. In the quarantine folder they
are stored in the encrypted form and during the transfer they will not be deleted
by the Anti-Virus application installed on the mail server.
You can send for analysis a quarantined file to which Anti-Virus has assigned
status Suspicious or Warning. You cannot send for analysis quarantined files to
which Anti-Virus has assigned status Infected. (For more details on how Anti-
Virus finds threats in objects see 1.1.3 on pg. 17).
Note
You cannot send a quarantined object for analysis to Kaspersky Lab after it ex-
pires.
In order to send a file for analysis to the Anti-Virus lab:

1. If the file was not quarantined, first place it into the quarantine (see 11.5
on pg. 166).
2. In the Quarantine node in the list of quarantined objects right-click the
file you wish to send for analysis and select Send to Kaspersky Lab.
3. If a mail client is configured on the computer on which Anti-Virus con-

sole is installed, a new e-email message will be created. Review it and
press the Send button.
The To: field will contain Kaspersky Lab's e-mail ad-
dress newvirus@kaspersky.com. The Subject field will contain text
"Quarantined object". The body of the message will contain the follow-
ing text: "This file will be sent to Kaspersky Lab for analysis".
The body of the message contains text "File will be sent for analysis to
Kaspersky Lab". You can include into the message body any additional
information about the file, why you considered it suspicious, how it be-
haves or how it affects the system.
Archive <object name>.cab will be attached to the message. This arc-
hive will contain file <uuid>.klq with the object in encrypted form, file
<uuid>.txt with information about the object collected by the Anti-Virus
and file Sysinfo.txt that contains the following information about the Anti-
Virus and the operation system installed on the server:
 name and version of the operating system;
 Anti-Virus name and version;
 release date of the latest installed bases update;
 serial number of the active key.
The specified information is required by the Kaspersky Lab's Anti-Virus
analysts in order to perform the analysis of the file faster and more effi-
ciently. However, if you do not wish to transfer this information you can
delete Sysinfo.txt file from the archive.
4. If no mail client applications are configured on the computer on which
the Anti-Virus console installed, Microsoft Windows internet connection
setup wizard will open. You can perform the following operations:
 create a new account following the instructions of the internet con-
nection setup wizard and send the file from this computer.
 close the wizard and save the selected encrypted object into a file.
You can send this file to Kaspersky Lab using regular ways you
send e-mail message.
In order to save the encrypted object into a file:
a) in the dialog box that will open and that will suggest you to
save the object (see Figure 68) press the OK button;
b) save a folder in the disk of the protected server or a network
folder into which you wish to save the file with the object.
Figure 68. The dialog box prompting to save a quarantine object to a file.
11.8. Configuring quarantine

settings
This section contains a discussion of configuration of the quarantine settings.
New values of the quarantine settings are applied immediately after they are
saved.
Description of the quarantine settings and their default values are provided in A.6
on pg. 391.
In order to configure quarantine settings:
1. Open the shortcut menu on the Quarantine node in the console window
and select Properties (see Figure 69):
Figure 69. The Quarantine Properties dialog box
2. Using the Quarantine Properties dialog box configure the required qu-
arantine settings as per your requirements:
 in order to specify the Quarantine folder different from the default
folder, select the required folder on the local disk of the protected
server or specify its name and full path to it (for more details about
this setting see A.6.1 on pg. 391).
 in order to set the maximum quarantine size check the Maximum
quarantine size box and specify the required values in MB in the
entry field (see A.6.2 on pg. 392).
 in order to set the minimum free space in the quarantine, set the
Maximum quarantine size parameter, check the Threshold of
free space box and specify the required value for the parameter in
the entry field (see A.6.3 on pg. 393).
 in order to specify a different folder for restored objects, select the
required folder on the disk in the Restoration settings settings
group or enter full path to it (see A.6.4 on pg. 393).
11.9. Quarantine statistics

You can view information about the number of the quarantined objects - quaran-
tine statistics.
In order to view the quarantine statistics right-click the Quarantine node in the
console window and select Statistics (see Figure 70).
Figure 70. The Statistics dialog box

The Statistics dialog box displays the following information about the num-
ber of quarantined objects at the current moment:
Field Description
Infected objects The number of infected objects a) that re-

ceived the Infected status after the quarantine
check and the Anti-Virus was unable to disin-
fect or delete them and b) that Anti-Virus qua-
rantined according to the value of the Actions
to be performed with objects depending on
the threat type parameter.
Suspicious objects The number suspicious objects and objects

that potentially contain malicious code.
For more details on how Anti-Virus finds
threats in objects see 1.1.3 on pg. 17.
Used quarantine space The total size of date in the quarantine folder
False alarm objects The number of objects that received the False
alarm status because they were found clean
during the quarantine scan using the updated
bases
Objects disinfected The number of objects that received the Dis-

infected status after the quarantine scan
Total number of objects The total number of quarantined objects

CHAPTER 12. BACKUP COPYING
OF OBJECTS BEFORE
DISINFECTION/DELETION;
USING BACKUP STORAGE

 about backup copying of the objects before disinfection / deletion (see
12.1 on pg. 173);
 viewing objects in Backup, sorting and filtration of files (see 12.2 on pg.
174);
 restoration of files from Backup (see 12.3 on pg. 178);
 deleting files from Backup (see 12.4 on pg. 181);
 configuring backup storage settings (see 12.5 on pg. 182);
 blocking statistics (see 12.6 on pg. 183);
Description of the backup storage setting is provided in section A.7 on pg. 394.
12.1. About backup copying of

objects before disinfection /
deletion
Before disinfecting or deleting a file with Infected status the Anti-Virus saves it
encrypted copy in the special folder - backup storage.
Anti-Virus also places into Backup encrypted copies of files with the status Sus-
picious and Potentially containing malicious code if you selected Delete as
the action to be performed with suspicious objects in the security settings of the
Real-time file protection task or an on-demand scan task.
If the object is a part of a composite object (for example, if it is included into an
archive), then Anti-Virus will save such composite object entirely in the backup
storage.
You can restore files from Backup either to the original folder or to another folder
on the protected server or another computer in the local area network. You can
restore the file from Backup, for example, if an infected file contained important
information, but during the disinfection of this file Anti-Virus was unable to main-
tain its integrity and therefore the information became unavailable.
Attention!
Restoring files from Backup may lead to computer infection.
12.2. Viewing files stored in Backup

You can view files stored in the Backup folder only using the Anti-Virus console
in Backup node. You cannot view them using Microsoft Windows file manage-
ment tools.
In order to view the files in Backup, select Backup node in the console tree (see
Figure 71).
In order to find the required object in the list you can sort objects (see 12.2.1 on
pg. 176) or filter the objects (see 12.2.2 on pg. 176).
Figure 71. Information about files in Backup of Anti-Virus console
The following information about a file stored in Backup will be displayed in the
result panel:
Field Description
Object Name of the file a copy of which is saved to Backup

Backup copying of objects before disinfection/deletion; Using Backup storage 175
Field Description
Result File status based on the presence/absence of threat.

 Infected. File has been found infected - full coincidence
of a section of the object's code with a section of the
code of a known threat has been detected.
 Suspicious. File has been found suspicious - partial
coincidence of a section of the object's code with a sec-
tion of the code of a known threat has been detected.
 Potentially containing malicious code. File was de-
tected by the heuristic analyzer.
For more details on how Anti-Virus finds threats in objects
see 1.1.3 on pg. 17.
Danger level The threat level indicated how harmful the object is for the
server. The severity level depends on the class of the
threat contained in the object and may assume the follow-
ing values:
 High. The file may contain a threat of the following
types "network worms", "classic viruses", "Trojan
horses", or a threat of an undefined class (this class in-
cludes new viruses currently not referred to any known
class);
 Medium. The file may contain a threat of type "other
malware", "adware" or "pornware";
 Low. The file may contain a threat of type "riskware".
For more details about threats detectable by Anti-Virus
see 1.1.2 on pg. 14.
Threat type The threat type according to Kaspersky Lab's classifica-

tion, included into the full name of the threat returned by
Anti-Virus when Anti-Virus finds the file infected. You may
view the full name of a threat contained in the object in the
Reports node in the detailed report about the task execu-
tion.
Threat name The threat name according to Kaspersky Lab's classifica-

tion, included into the full name of the threat returned by
Anti-Virus when Anti-Virus finds the file infected. You may
view the full name of a threat contained in the object in the
Reports node in the detailed report about the task execu-
tion.
Field Description
Date of place- Date and time when the file was saved in the Backup fold-
ment er
Source path Full path to the original folder - folder into which the file
was located before Anti-Virus saved its copy in Backup
Size File size
User name This column displays the following data:

 if the file was backed up by Anti-Virus in the Real-Time
File Protection task - the name of the account using
which the application accessed the file at the moment
of interception;
 if the object was backed up by Anti-Virus in an on-
demand scan task - the name of the account using
which the task was executed.
To learn how to configure Backup settings see 12.5 on pg. 182.
12.2.1. Sorting files in Backup

By default files in Backup are sorted by the date they were saved in the reverse
chronological order.
In order to find the required file you can sort files by the content of any column in
the result panel. The result of the sorting will be saved if you leave and then
open Backup node again or if you close the Anti-Virus console, save the msc file
and then open it again from this file.
In order to sort files in Backup:
1. Select Backup node in the console tree.
2. In the file list of Backup click heading of the column based on which you
wish to sort the objects.
12.2.2. Filtering files in Backup

In order to find a required file in Backup you can filter files - display in Backup
node only those files which satisfy the filtering criteria you have specified (filters).
The result of the filtering will be saved if you leave and then open Backup node
again or if you close the Anti-Virus console, save the msc file and then open it
again from this file.
In order to filter files in Backup:
1. Right-click Backup node in the console tree and select Filter.
Figure 72. The Filter settings dialog box
2. To add a filter:
a) In the Field name select a field with the values of which the values
of the filter you have specified will be compared to when matching.
b) In the Operator list select the filtering condition. The values in the
list of the filtering conditions may differ depending on the value you
have selected in the Field name field.
c) Enter or select the filter value in the Filter value field.
ical "AND".
list and press the Delete button.
 In order to edit a filter, select it in the filter list in the Filter settings di-
alog box, modify the required values in the Field name, Operator or
Field value fields and press the Replace button.
3. After you have added all filters, press the Apply button. Only files se-
lected by the filters you have specified will then be displayed in the list.
In order to display all files included in the list of objects stored in Backup, open
the shortcut menu on Backup node in the console tree and select Remove Fil-
ter.
12.3. Restoring files from Backup

Anti-Virus stores files in the Backup folder in the encrypted form to protect the
protected server against their possible harmful effect.
You can restore any file from Backup.
You may need to restore an object in the following cases:
 if the original file that appeared to be infected contained important in-
formation and during the disinfection Anti-Virus was unable to maintain
its security and the information in the file became unavailable;
 if you consider the file not dangerous for the server and wish to use it. If
you do not wish Anti-Virus to consider this file infected (suspicious) dur-
ing the subsequent scans you can exclude it from the processing in the
Real-time file protection task and in the on-demand scan tasks. Speci-
fy file as parameter Excluding objects (see A.3.8 on pg. 369) or Ex-
cluding threats (see A.3.9 on pg. 370).
Attention!
Restoring files from Backup may lead to computer infection.
When you restore a file you can select where it will be saved: to the original fold-
er (by default), to a special folder for restored objects on the protected server or
to the folder specified by you in the computer on which Anti-Virus console is in-
stalled or on another computer in the network.
A folder for restoration is designed for storing restored objects on the protected
server. You can set special security parameter to scan it. Path to this folder is set
by Backup settings (see 12.5 on pg. 182).
By default when Anti-Virus is restoring a file it deletes its copy from Backup. You
can save a file copy in Backup after it is restored.
In order to restore files from backup storage:

 in order to restore one file, right-click the file you wish to restore in
the list of files in Backup and select Object restoration.
 in order to restore several files select the objects you wish to re-
store in the list using the <Ctrl> key or <Shift> key, right-click one
of the selected objects and select Object restoration.
3. In the Object restoration dialog box (see Figure 73) specify the folder
into which the restored file will be saved.
The name of the file is displayed in the Object field in the upper part of
the dialog box. If you selected several files, the name of the first file in
the list of selected objects will be displayed).
Figure 73. The Object restoration dialog box
Perform one of the following actions:

 in order to save a file being restored on the protected server, select:
o Restore to the source folder on the server or to selected
network folder if you do not wish to restore the file into the
original folder;
o Restore to the server folder for restoration by default - if
you wish to restore the file into the folder that you specified
as the folder for restored objects in the settings of Backup

(see 12.5 on pg. 182);
 In order to save the restored file into a different folder select Re-
store to folder on your local computer or on the network re-
source heading and select the required folder (on the computer on
which Anti-Virus console is installed or a network folder) or specify
path to it.
4. If you wish to save a copy of a file in the Backup folder after this objects
is restored, uncheck the Delete objects from storage after they are
restored box.
5. If you selected several files to be restored, then in order to apply the se-
lected saving conditions to the rest of the selected objects, check the
Apply to all selected objects box.
All selected files will be restored and saved to the location you have
specified: if you selected Restore to the source folder on the server
or to selected network folder, each of the files will be saved into its
original location if you selected Restore to the server folder for resto-
ration by default or Restore to folder on your local computer or on
the network resource - all objects will then be saved into one specified
folder.
Anti-Virus will start restoring the first of the selected files.
7. If a file with this name already exists in the specified location, an Object
with such name already exists dialog box will open (see Figure 74).
Figure 74. The Object with such name already exists dialog box
Perform the following actions:

a) Select the condition for saving the restored file:

o Replace, in order to restore a file instead of the existing one;
o Rename the object to save the restored file under a different
name. In the entry field enter a new filename and full path to it;
o Rename by adding suffix, to rename the file by adding a suf-
fix to its filename. Enter suffix into the entry field.
b) If you wish to apply the selected action Replace or Rename by
adding suffix to other selected files, specify folder Apply to all ob-
jects.
(If you specified Rename, then the Apply to all objects box will
not be available).
The object will be restored. Information about the restoration opera-
tion will be registered in the system audit log.
If you selected several files to be restored and did not select option
Apply to all objects in the Restoring objects dialog box, this di-
alog box will open again. Using this dialog box you can specify the
folder into which next selected object will be saved (see Step 3 of
this procedure).
12.4. Deleting files from Backup

In order to delete one or several files from Backup:
 in order to delete one file, right-click the file you wish to delete in
the list of objects and select Delete object;
 in order to delete several files select the files you wish to delete us-
ing the <Ctrl> key or <Shift> key, right-click one of the selected
files and select Delete object.
3. In the Confirmation dialog box press the Yes button to confirm the op-
eration. The selected files will be deleted.
12.5. Configuring backup storage

settings
This section contains a discussion of how to configure Backup settings. Descrip-
tion of Backup settings and their default values are provided in A.7 on pg. 394.
The new values of Backup settings are applied immediately once you save them.
In order to configure Backup settings:
1. Right-click Backup node in the console tree and select Properties (see
Figure 75).
Figure 75. The Backup Properties dialog box
2. Perform the following in the Backup Properties dialog box:

 in order to specify the folder-location of Backup, select the required
folder on the local drive of the protected server or enter full path to
it in the Backup folder field (for more details about this setting refer
to A.7.1 on pg. 395);
 in order to set the maximum backup storage size check the Maxi-
mum storage size box and specify the required values in MB in
the entry field (see A.7.2 on pg. 395);
 in order to set the free space threshold for the backup storage set
the Maximum storage size setting, check the Threshold of free
space box and specify the minimum free space value for the
backup storage in megabytes (see section A.7.3 on pg. 396);
 in order to specify a folder for restored objects, select the required
folder on the local drive of the protected server in the Restoration
settings settings group or enter the folder name and the full path to
it in the Restore to folder (see A.7.4 on pg. 397).
12.6. Backup storage statistics

You can view the information about the current status of Backup - Backup statis-
tics.
In order to view Backup statistics right-click Backup node in the console tree and
select View Statistics (see Figure 76):
Figure 76. The Backup statistics dialog box
On the Backup statistics dialog box displays the following information

about the current status of Backup:
Field Description
Used storage space The amount of data in the Backup folder
Total number of ob- The current total number of objects in Backup

jects
CHAPTER 13. EVENT
REGISTRATION

 about the methods of Anti-Virus event registration (see 13.1 on
pg. 185);
 task execution reports: viewing, deletion, configuration (see 13.2 on
pg. 186);
 system audit log: viewing, purging (see 13.3 on pg. 199);
 Anti-Virus statistics - information about the current status of Anti-Virus ,
its functional components and tasks being executed (see 13.4 on
pg. 203);
 event log of Anti-Virus in Microsoft Windows MMC console "Event view-
er" (see 13.5 on pg. 207).
13.1. Methods of event registration

Events in the Anti-Virus are classified as related to the object processing in tasks
and related to the Anti-Virus management - the latter include such events as
Anti-Virus startup, creation and deletion of tasks, starting tasks, modifying task
settings, etc.
Anti-Virus registers events as follows:
 It creates reports about task execution. Report about execution of tasks
contains information about the current status of the task and events that
occurred during its execution (see 13.2 on pg. 186);
 It maintains system audit log; this log is used to register events related
to the Anti-Virus management (see 13.3 on pg. 199);
 It gathers statistics of its work- information about the current status of
functional components and about tasks currently being executed (see
13.4 on pg. 203);
 It maintains the event log in the Microsoft Windows Event Viewer. The
log registers events important for diagnosing failures (see 13.5 on pg.
207).
If a problem occurs during Anti-Virus operation (for example, Anti-Virus or its

individual task terminates abnormally or does not start), you can create a track-
ing log and Anti-Virus process memory dump and send files with this information
for analysis to Kaspersky Lab's Technical Support Service in order to diagnose
the problem encountered. Details about creating the tracking log and memory
dump see 3.2 on pg. 40.
13.2. Task execution reports

 about task execution reports (see 13.2.1 on pg. 186);
 viewing summary reports (see 13.2.2 on pg. 187);
 sorting summary reports in the list (see 13.2.3 on pg. 191);
 viewing summary reports in the tasks (see 13.2.4 on pg. 191);
 export of information from the detailed report into a text file (see 13.2.5
on pg. 196);
 deleting tasks (see 13.2.6 on pg. 196);
 changing the information detail level for reports about execution of tasks
of individual functional components and in the event log (see 13.2.7 on
pg. 197).
13.2.1. About task execution reports

In the Reports node you can view summary and detailed reports about Anti-
Virus task execution. A summary report is a line with information about the task
state and the general status of processed objects from the Anti-Virus security
point of view. The Detailed report contains task performance statistics (informa-
tion about each object processed by Anti-Virus since the task was started and
task settings).
By default reports are stored for unlimited time. In detailed reports about tasks
executed during the current moment, event records created over 30 days ago will
be deleted. Summary reports about tasks will be deleted 30 days after comple-
tion of the task. Using Anti-Virus settings you can change the report storage time
or disable the function of automatic deletion of reports in order to store them in-
definitely (see Chapter 3 on pg. 40) You also can manually delete a selected
report.
Event registration 187
13.2.2. Viewing summary reports. Summary

reports' status
In order to view the summary task performance report:
1. Select Reports in the console tree (see Figure 77).
Figure 77. The list of reports in the result panel
2. In the result panel find the required task report (in order to quickly find
the report in the list you can filter or sort the records by any column).
To learn how to view a detailed report about the task execution, see
13.2.4 on pg. 191.
The following information about the task execution will be contained in the report:
Field Description
Report status Summary characteristics obtained based on the task statis-

tics; reflects the general status of the processed objects
from the Anti-Virus security point of view. By the importance
level, the reports statuses can be information , warning
or critical . The statuses of the scan and update tasks
report are described in tables below.
Task name The name of the task which report you are viewing.
Field Description
Task type Task type, corresponds to the functional component in which

the task is created (real-time file protection, script monitor-
ing, on-demand scan, scan quarantine objects, application
integrity control, application database update, application
modules update, updates distribution, database update roll-
back).
Category Anti-Virus task category: system, user-defined or group task.

For more details about task categories see 5.1 on pg. 48.
Task status Current task status: Running, Completed, Paused, Failed or

Interrupted by user, Resuming.
Completion If the task has been completed by the current moment, the
time date and the time of its completion will be displayed in this
column. If the task is running at the moment, this field will
remain empty.
Table 9. On-demand scan task reports' statuses
Severity Report status Report status description

level
No threats found Anti-Virus scanned all objects in this area.

Anti-Virus has found all objects in this area
not infected.
Some objects have Anti-Virus found all scanned objects clean;

not been processed one or several objects were skipped, for
example, they were excluded from the scan
by the security settings or were being used
by other applications at the moment they
were accessed.
Some objects, such as Microsoft Windows
system files may be in use at the moment
they are access. Anti-Virus will not scan
them and the task will complete with status
Some objects were not processed.
Corrupted objects Anti-Virus found all scanned objects clean;

found one or several objects in the selected area
were skipped: Anti-Virus was unable to read
these objects as their format is corrupted.

level
Suspicious objects Anti-Virus has found one or several suspi-

found cious objects. To learn which objects exactly
are suspicious refer to the detailed report
about task execution (see 13.2.4 on pg.
191).
Infected objects found Anti-Virus has found threats in one or sever-

al objects. To learn which exactly objects
contain threats refer to the detailed report
about the task execution (see (see 13.2.4 on
pg. 191).
Processing errors Anti-Virus has found all scanned objects

clean.
An Anti-Virus error occurred during the scan
of one or several objects.
Note:
Object during the processing of which an
Anti-Virus error occurred may contain a
threat. We recommend that you quarantine
this object and rescan it in the quarantine
after the database has been completed (see
11.3 on pg. 160). If the task is repeated,
refer to Kaspersky Lab's Technical Support
Service. Detailed information on how you
can contact the Technical Support Service -
see section 1.2.3 on pg. 21.
Critical errors Task execution failed.

You can see the information on error cause
in the detailed report on task execution.
Table 10. Statuses of the bases update and update downloading task reports

level
No errors found Anti-Virus downloaded and successfully

applied updates.

level
Critical errors An error occurred while the updates were

downloaded or when they were applied.
You can view the name of the update which
was not applied and what caused this error
in the detailed report about the task execu-
tion.
Table 11. Statuses of the application modules update task reports

level
No errors found Anti-Virus downloaded and successfully ap-

plied updates.
Critical update is Critical updates of Anti-Virus modules pub-

available lished.
Planned update is Scheduled updates of Anti-Virus modules

available published.
Critical and planned Both critical and scheduled updates of Anti-

updates are available Virus modules published.
Installation of down- Anti-Virus downloaded and successfully is

loaded updates is in installing them.
progress
It is necessary to Restart server to apply the updates.

restart the computer
to complete the up-
date
Critical errors An error occurred while the updates were

downloaded or when they were applied.
You can view the name of the update which
was not applied and what caused this error in
the detailed report about the task execution.
13.2.3. Sorting reports

By default reports are displayed in the list in the reverse chronological order. You
can sort reports by any column. The result of the sorting will be saved if you
leave and then select the Reports node again or if you close the Anti-Virus con-
sole, save the msc file and then open it again from this file.
In order to sort objects:
1. Select Reports in the console tree.
2. In the information panel, click on the column heading by which you wish
to sort the reports.
13.2.4. Viewing detailed report about task

execution
You can view information about all events occurred in the task since it was
launched in the report about task execution. For example you can learn in which
of the processed objects the threat was detected.
In order to view the detailed report about task execution:
2. In the list of report right-click the summary report on events you wish to
view in the task report and select View report.
Dialog box Detailed report contains the Events tab with information about
events occurred in the task, the Statistics tab that displays the time of the task
launch and completion as well as its statistics and the Settings tab with the
task's settings.
The Events tab contains the following information about events in the task (see
Figure 78):
Figure 78. An example of a detailed Real-time file protection task report
Field Description
Event importance By the importance level events in the detailed reports are
level information , important and critical .
Object Name of the processed object and path to it.
Event Event type and additional information about the event

This column (in the Script monitoring task) also displays
PID identifier of the process performed by the script inter-
cepted by Anti-Virus.
Event time Date and time of the event occurrence.
In addition to the above fields, the detailed analysis about tasks Real-time file
protection and Script monitoring contains the Username field.
Field Description
Computer Computer name from which the application accessed the

object.
User name Username of the account under which the application

accessed the object.
If the object was accessed by an application running un-
der the Local system (SYSTEM) account, then this col-
umn contains record <domain> <computer name>$.
In the Real-time File Protection task the Anti-Virus reg-
isters value localhost as the computer name rather than
the network name of the protected server if an application
running on the protected server accesses the object.
To view task statistics, open the Statistics tab in the Detailed report dialog box
(see Figure 79).
Figure 79. The Detailed report dialog box, Statistics tab

To view task settings, open the Settings tab in the Detailed report dialog box
(see. Figure 80).
Figure 80. The Detailed report dialog box, Settings tab
While you are viewing a detailed report, you can apply one or several filters in
order to find the required event on the Events tab.
To specify one or several filters:
1. Press the Filter button in the bottom part of the Detailed report dialog
box. The Filter settings dialog box will open (see Figure 81).
2. In order to add a filter:

a) In the Field name list select a field to which the filter value will be
compared.
c) Enter the filter value in the Field value field or select it from the list
of possible values.
The filter you have added will appear in the list of filters in the Filter set-
tings dialog box. Repeat these actions for each filter you wish to add.
 In order to delete a filter, select it in the filter list and press the Delete
button.
 In order to edit a filter, select the filter in the list in the Filter settings di-
alog box. Then change the required values in the Field name, Opera-
tor or Field value field and press the Replace button.
3. After you added all filters, press the Apply button. The list of objects in
the Detailed report will display only objects selected based on the filters.
In order to display all objects, press the Remove filter button in the bottom part
of the Detailed report dialog box.
13.2.5. Exporting information from a

detailed report into a text file
In order to export information from a detailed report into a text file:
1. Select Reports from the console tree.
2. In the report list open a shortcut menu on the summary report about the
task whose events you wish to view in the detailed report and select the
View Report command.
3. In the bottom part of the Detailed Report dialog box press the Export
button and in the Browse dialog box specify the name of the file into
which you wish to save information from the detailed report and the en-
coding system you wish to use (Unicode or ANSI).
13.2.6. Deleting reports

By default the reports are stored for a limited time (you can change the report
storage period using the common Anti-Virus setting Report storage time, see
3.2 on pg. 40).
In the Reports node you can delete reports about completed tasks.
To delete one or several reports:
 in order to delete one report, right-click the report you wish to delete
in the list of reports and select Delete;
 in order to delete several reports select the reports you wish to de-
lete using the <Ctrl> key or <Shift> key, right-click one of the se-
lected reports and select Delete.
In the Confirmation dialog box press Yes to confirm the operation. Se-
lected reports will be deleted. The selected reports will be deleted.
13.2.7. Report and event log detail level

settings
Using the settings described below you can specify which events will be regis-
tered in the Detailed reports about task execution of individual functional Anti-
Virus components and which events will be registered in the Event log. For in-
formation about Anti-Virus Event log refer to 13.5 on pg. 207.
Based on the level of importance Anti-Virus events associated with task execu-
tion can be of three types: information , important and critical .
Information events, for example No threats detected or No errors reflect the
results of the Anti-Virus operation.
Important events, such as Update source connection error may affect Anti-Virus
functionality.
Critical events may lead to the disruption of the Anti-Virus security of the pro-
tected server. Such events include, for example, Module integrity breached,
Threat detected or Internal task error.
The detail level in the detailed reports about task events and in the Event log
corresponds to the level of importance of events registered in the log. You can
set one of three detail levels ranging from the Information level in which you
register events of all importance levels to Critical level in which only critical
events are registered. By default level Important events (only important and
critical events) is set for all components except the Update component for which
the Information event level is set.
Additionally you can manually specify individual events that will be registered in
detailed reports and in the event log.
In order to set the detail level of events in the detailed reports about task execu-
tion and in the event log:
1. Right-click the Report node in the console tree and select Properties.
2. In the Component list in the Reports Properties (see Figure 82) select
the Anti-Virus functional component for which you wish to set the event
detail level.
Figure 82. The Reports Properties dialog box

 in order to set the detail level in Detailed reports about events in the
tasks of the selected functional components, select the required
level in the Level of detail list;
Boxes next to the events in the list of events which will be included
into the reports and the event log in accordance with the detail level
selected will be checked.
 in order to enable or disable registration of certain events of a func-
tional component, select User-defined settings in the Level of de-
tail list and perform the following actions in the component's event
list:
o in order to enable registration of an event in detailed reports

about task execution, check the Reports box associated with
this event; in order to disable registration of an event in de-
tailed reports uncheck the corresponding Reports box.
o in order to enable registration of an event in the event log,
check the Event log box associated with this event; in order to
disable registration of an event in the event log - uncheck the
corresponding Event log box.
4. Press OK.
13.3. System audit log

Anti-Virus performs System audit log of non-task related events such as launch-
ing Anti-Virus, starting and stopping tasks, modifying task settings, creating and
deleting on-demand scan tasks, etc. Records about these events are displayed
in the System audit log node.
Anti-Virus will automatically delete records about events created more than 30
days ago from the System audit log. To store the records indefinitely you can
change the record storage period or disable the record deletion function (see 3.2
on pg. 40).
In order to view events in the system audit log, select the System audit log node
in the console tree (see Figure 83):
Figure 83. The System audit log node
The results panel displays the following information about events:

Field Description
Event Event description that includes the type of event and addi-
tional information about it. Based on the importance level
events can be information , important and critical .
Task name Name of Anti-Virus task connected with task execution.
User name If an event is requested by an Anti-Virus user this user's

login will be displayed.
If the action was not requested by a user, but was started
by Anti-Virus itself, for example a scheduled on-demand
scan task, this column will contain record <domain>
<computer name>$ which will match the System account.
Event time Event registration time in the time zone of the protected
server in the format set by the Microsoft Windows server
regional settings.
Component Anti-Virus functional component in the operation of which

the event occurred.
The functional Anti-Virus component in the operation of
which the event has occurred. If the event is not associated
with the operation of individual component, but is related to
Anti-Virus operation in general, for example starting Anti-
Virus, record Application will then be contained in this
column.
Computer Computer name that access to the server has been

blocked or allowed(only for Blocking access from com-
puters function).
You can perform the following actions with events in the System audit log node:
 sort events (see 13.3.1 on pg. 200);
 filter events (see 13.3.2 on pg. 201);
 delete events (see 13.3.3 on pg. 202).
13.3.1. Sorting events in System audit log

By default, events in the System audit log node are displayed in the reverse
chronological order.
In order to find an event in the list you can sort the events by any column with
information. The result of the sorting will be saved if you leave and then select
the System audit log node again or if you close the Anti-Virus console, save the
msc file and then open it again from this file.
In order to sort events:
1. Select System audit log in the console tree.
2. In the result panel click the column heading by which you wish to sort
the events in the list.
13.3.2. Filtering events in System audit log

In order to find an event in the system audit log you can filter events- display in
the list only those events that satisfy the filtering criteria (filters) that you have
specified.
The result of the filtering will be saved if you leave and then select the System
audit log node again or if you close the Anti-Virus console, save the msc file and
then open it again from this file.
In order to filter events in System audit log:
1. Right-click the System audit log node in the console tree and select
Filter.

2. To add a filter:
a) In the Field name select a file to which the filter value will be com-
pared.
c) Enter the filter value in the Filter value field or select it from the list
of possible values.
ical "AND".
list in the left part of the dialog box and press the Delete button.
 In order to edit a filter, select it in the list of filters in the Filter settings
dialog box. Then change values in the Field name, Operator or Field
value fields and press the Replace button.
3. After you added all filters, press the Apply button. Only events selected
by the filters you have specified will then be displayed in the event list.
In order to display all events again, open the shortcut menu on the System audit
log node in the console tree and select Remove filter.
13.3.3. Deleting objects from System audit

log
By default the Anti-Virus stores events in the system audit log for unlimited time.
You can limit the event storage period (see Event storage period in the system
audit log setting in 3.2 on pg. 40).
You can manually delete all events from the system audit log.
In order to delete all events from the system audit log:
1. Right-click the System audit log node in the console tree and select
Clear.
2. In the Confirmation dialog box press Yes to confirm the operation.
13.4. Anti-Virus statistics

Anti-Virus statistics – information about the current status of Anti-Virus, its func-
tional components and tasks being executed.
In order to view Anti-Virus statistics select the Statistics node in the console
tree.
The following Anti-Virus information will be displayed in the result panel:
 link to Anti-Virus website;
 Anti-Virus version and its installation date;
 information about the active key: serial number, type, expiration date
and information about soon expiration:
– before the key expiration not less than 14 days;
– before the key expiration less than 14 days, but not less than 7
days;
– before the key expiration less than 7 days.
You can modify the administrator’s notification about soon key expira-
tion (see 15.2 on pg. 216).
 the status and the settings of the Anti-Virus functional components and
the statistics of the tasks being executed (see description in Table 12).
By default information in the Statistics node is updated every minute. You can
also update the information in the Statistics node manually.
In order to update information in the Statistics node manually, open the shortcut
menu in the Statistics node and select the Update command.
Table 12. Information about Anti-Virus functional

components in the Statistics node
Component/Task Information in the Statistics node
Real-time file protec- Task status:

tion task
– IN PROGRESS - the task is in progress;
– STOPPED - the task is paused or stopped;
Task statistics:
Threats detected - the number of threat detected since
the time the task was started;
Preventing virus outbreaks:

 Activated– the level protected in the Real-time file
protection task was increased in accordance with the
Virus outbreak protection settings (for more details,
see A.4.4 on pg. 378);
 Not activated– the Virus outbreak prevention mode is
not applied by Anti-Virus.
Objects scanned – the number of objects scanned since
the time the task was last started.
If the task is started, the Advanced hyperlink will open the
Task execution statistics dialog box (see 6.3 on pg. 83).
Blocking access from Status of automatically blocking access from computers:

computers
– the function of blocking access from computers is
enabled; the Details… hyperlink opens the Statistics
dialog box (see 7.9 on pg. 97);
– Function of blocking access from computers is
enabled.
Blocking statistics:
Computers in the blocking list - the number of comput-
ers that are currently included into the block list;
Script monitoring Task status:

task
– IN PROGRESS - the task is in progress;
– STOPPED - the task is paused or stopped;
Task statistics:
Threats detected - the number of threat detected since
the time the task was started;
Objects scanned - number of scripts processed since
the task was last started;
Scripts blocked - the number of malicious or suspicious
scripts that Anti-Virus detected and blocked since the
task had started;
If the task is started, the Details… hyperlink will open the
Task execution statistics dialog box (see 6.5 on pg.
86).
Database updating General status of the Anti-Virus database on the pro-

task tected server:
– databases are up-to-date;
–databases are obsolete;
–databases are outdated.
For more details on the bases status see 10.1 on pg.
136.
Database release date - date and time that the current
databases were created;
Databases records count – total number of entries in
the databases currently in use.
Quarantine General quarantine status (displayed if the Maximum

quarantine size and the Minimum free space in qua-
rantine settings are applied):
–the maximum quarantine size has not been reached;
the minimum free quarantine space value has not been
reached;
–the maximum quarantine size has not been reached;
but the minimum free quarantine space value has been
reached;
– maximum quarantine size has been reached.
When the total size of Quarantine reaches the number
selected in the settings, Anti-Virus notifies the administra-
tor of this (if notifications are configured for those events).
To learn how to configure notifications, see Chapter 15
on pg. 214. To learn how to configure quarantine settings
see 11.8 on pg. 169.
Quarantine statistics:
Quarantined objects - the number of objects currently
quarantined;
Size - the amount of data in the quarantine folder
The Details… link opens dialog box Quarantine statis-
tics (see 11.9 on pg. 171).
Backup storage General status of Backup (displayed if the values of the

Maximum backup storage size and the Minimum
backup storage free space settings values are speci-
fied):
– the maximum size of Backup has not been reached;
the minimum size of the free space in Backup has not
been reached;
–the maximum backup storage size has not been
reached; but the minimum free backup storage space
value has been reached;
– the maximum backup storage size has been
reached.
When the total size of Backup reaches the number se-
lected in the settings, Anti-Virus notifies the administrator
of this (if notifications are configured for those events).
Anti-Virus will continue placing objects into Backup. To
learn how to configure notifications, see Chapter 15 on
pg. 214. To learn how to configure backup storage set-
tings see 12.5 on pg. 182.
Backup statistics:
Backup objects - the number of objects currently in
Backup;
Size - the amount of used space in Backup
The Details… link opens dialog box Backup storage
statistics (see 12.6 on pg. 183).
13.5. Anti-Virus event log in Event

Viewer
You can view Anti-Virus event log using the Microsoft Windows MMC Event
Viewer. In this console Anti-Virus registers events important for the Anti-Virus
security of the protected server and diagnostics of Anti-Virus failures.
You can select which events to record in the event log:
 by event types.
 by detail levels. The detail level corresponds to the level of the event
importance in which it is registered (informational, important, or critical
events). The most detailed is the Information level, which registers
events of all importance level; the least detailed is the Critical level
which registers critical events only (Important events is the default). By
default, for all components except the Update component the Impor-
tant events detailed level is selected (only important and critical com-
ponents are registered); for the Update component the Information
events level is selected.
To learn how to select events for registration in the Event log see 13.2.7 on pg.
197
In order to view the Event log:
1. Add to the MMC Event Viewer. If you control the server protection re-
motely from the administrator's station, specify the protected server as
the computer to be controlled by the utility.
2. Select the Kaspersky Anti-Virus node in the Viewing events console
tree (see Figure 85).
Figure 85. Information about Anti-Virus events in Event Viewer

CHAPTER 14. INSTALLING AND
DELETING LICENSE KEYS

 About Anti-Virus license keys (see 14.1 on pg. 209);
 View license key info (see 14.2 on pg. 210);
 Key installation (see 14.3 on pg. 212);
 Deleting keys (see 14.4 on pg. 213).
14.1. About Anti-Virus license keys

A key is a text file with the extension .key. It contains information Anti-Virus use
rights and restrictions.
When the key is written, its limit date, a date after which the key becomes invalid,
for example (for example, December 31, 2010, if the key is written in 2007) is
set, as well as the key validity period in days (for example, 365 days). Kaspersky
Lab writes license keys with various validity periods.
When you install a key, Anti-Virus calculates the expiration date of the key validi-
ty period. This date arrives after the length of time in the validity period has
elapsed since key installation, but no later than the date that the key expires.
During this time, you have access to the following features:
 Anti-Virus protection;
 Regularly database updates;
 Critical Anti-Virus patches;
 Possibility to install scheduled Anti-Virus upgrades.
During this period, Kaspersky Lab or one of its partners will provide you with
technical support, if provided for by the terms of the key.
After the expiration date of the key, Anti-Virus stops performing its functions.
Depending on the type of key, you will not be able to use either the Anti-Virus
module and database update feature or all Anti-Virus features.
There are three types of Anti-Virus keys: beta, trial, and commercial.
Beta
Beta keys are free. They are only given out during Anti-Virus beta-testing.
After the expiration date of the key, Anti-Virus stops performing all of its
functions.
Trial
Trial keys are also free. They are designed for trying out Anti-Virus. A trial
key has a short lifespan. After the expiration date of the key, Anti-Virus stops
performing all of its functions. You can only install one trial key for Anti-Virus.
Commercial
After the expiration date of a commercial license key, Anti-Virus continues
performing all of its functions except for updates. It scans the server using
databases installed prior to the license key expiration date. It will not detect
threats that Kaspersky Lab specialists added to the database after the key
expired and will not disinfect files infected with those threats. Technical Sup-
port is also only provided for the key validity period.
You can purchase and install two keys at the same time, one as the active key
and the other as a backup. The Active key becomes effective as soon as you
install it, and the backup key will become active automatically when the active
key expires.
Anti-Virus key can have a usage restriction according to the number of servers.
14.2. View installed keys info

To view information on the keys installed:
1. In the console tree, select the License keys node.
2. Open the context menu in the results panel on the bar with information
on the key that you want to view and select Properties.
The <Serial number> Properties dialog box will open (see Figure 86).
Installing and deleting license keys 211
Figure 86. The Key Properties dialog box, General tab
The General tab in the <Serial number> Properties dialog box displays the
following information:
Field Description
Serial number Key serial number
Created Key write date
Key type Key type (beta, trial, or commercial). For more details on
key types, see 14.1 on pg. 209.
Validity period Term of the key in days, set when the key is written
Expiration date Expiration date of the key; Calculated by Anti-Virus when

the key is installed; comes when the validity period of the
key has elapsed since the time it was activated, but not
later than the date when the key expires
Application Anti-Virus application name
License objects A restriction provided by the key (if any)
Technical sup- Information on whether Kaspersky Lab or one of its part-

port availability ners will provide you with technical support provided to
customers by the terms of the key.
The Additional tab in the <Serial number> Properties dialog box displays in-
formation on the customer, as well as contact information for Kaspersky Lab or
the retailer where you purchased Anti-Virus.
14.3. Key installation

To install a key:
1. Open the context menu on the License keys node in the console tree
and click Install key.
2. Specify the file name of the key and the path to the file in the Adding a
key dialog box (Figure 87).
Figure 87. The Adding a key dialog box
This dialog box displays on the key described in the table below.
3. If you install the key as a backup, select Add as a reserve key.
4. Click the OK button.
Installing and deleting license keys 213
The Adding a key dialog box displays the following information about the li-
cense key being installed:
Field Description
Number Key serial number.
Type Key type (beta, trial, or commercial). For more details, see
14.1 on pg. 209.
Usage restriction Restriction objects count.
Restriction type Restriction objects.
Expiration date The expiration key is calculated by the Anti-Virus after the
key installation; it is the date of the expiration of the key
validity period since the moment of its activation, but not
later than date on which the key becomes invalid. For more
details refer to section 14.1 on pg. 209.
14.4. Deleting keys

You can delete the installed key.
If you delete an active key and a backup key is installed, such backup key will
automatically become active.
Warning:
If you delete the installed key, you can restore it only by re-installation from the
key file.
To delete an installed license key:

1. In the console tree, select the License keys node.
2. Open the context menu in the results panel on the bar with information
on the key that you want to delete and select Delete key.
3. Click the Yes button in the confirmation dialog box to confirm that you
wish to delete the key.
CHAPTER 15. CONFIGURING
NOTIFICATIONS

 Methods for notifying the administrator and users (see 15.1 on pg. 214);
 Configuring notifications (see 15.2 on pg. 216).
15.1. Methods for notifying the

administrator and users
Anti-Virus can be used to notify the administrator and users that access the pro-
tected server of events in Anti-Virus operation and status of Anti-Virus protection
on the server.
 The administrator can retrieve information on selected types of events;
 LAN users that access the protected server can receive information
about events of Threat detected and Computer has been added to the
blocking list .types; terminal server users can receive information about
events of Threat detected type.
In the Anti-Virus MMC Console, you can configure notifications for the adminis-
trator or users using several methods. These methods are described in the
tables that follow.
Table 13. User notification methods
Notification me- Default settings Description

thod
Terminal service Configured based If the protected server is terminal, you

windows on events of Threat can use this method to notify terminal
detected type users of the server.
Microsoft Win- Configured based This notification method uses Microsoft

dows NET SEND on events of Threat Windows NET SEND.
detected and Com- Before using this notification method,
puter has been make sure that NET SEND is enabled
added to the block- on the protected server and the LAN
ing list types user workstations (disabled by default).
Configuring notifications 215
Table 14. Administrator notification methods
Notification me- Default settings Description

thod
Microsoft Win- Not enabled This notification method uses Microsoft

dows NET SEND Windows NET SEND.
Before configuring this notification me-
thod, make sure that NET SEND is
enabled on the protected server and
the computer that serves as the admin-
istrator's workplace (if the ^ is manag-
ing Anti-Virus remotely).
NET SEND is disabled by default.
Run executable Not enabled This notification method runs a speci-

file fied executable file when triggered by
an event.
The executable file must be saved on a
local drive of the protected server.
When specifying the path to executable
file, you can use environmental va-
riables.
E-mail notification Not enabled This notification method uses e-mails to

transmit notifications.
You can create the message text for individual event types. It can include a field
with information about the event.
The message text used by default for user notifications is given in the following
table.
Table 15. Default message text for user notifications
Task Event type Message text
Real-time file Threat detected Kaspersky Anti-Virus blocked

protection access to %OBJECT% on comput-
er %FROM_COMPUTER% at
%EVENT_TIME% Reason:
%EVENT_TYPE%. Threat type:
%VIRUS_TYPE%:
%VIRUS_NAME%. User name:
%USER_NAME%. Computer name:
%USER_COMPUTER%
Real-time file Computer has been Kaspersky Anti-Virus on computer

protection, added to the blocking %FROM_COMPUTER%:
Blocking access list %EVENT_TYPE%. Computer
from computers name: %USER_COMPUTER%.
Blocking time: %EVENT_TIME%.
Reason: attempt to upload infected
or suspicious files. Contact the sys-
tem administrator for your network
15.2. Notification settings

Event notification settings give you a choice of method to configure and message
text to compose.
To configure event notification settings:
1. Open the context menu on the Anti-Virus name in the interface in the
console tree and select Notifications.
The Notifications dialog box will open (see Figure 88).
Figure 88. The Notifications dialog box
2. On the Notifications tab in the Notifications dialog box, select the

events and specify the method notification for them:
 To specify the method of notifying the administrator, take the follow-
ing steps:
a) Select the event for which you want to select a notification me-
thod from the Event type list;
b) In the Notify administrators group settings, select the check-
box next to the notification methods that you want to configure.
 To specify the method of notifying users, take the following steps:
a) From the Event type list select types of events (Threat de-
tected and Computer has been added to the blocking list)
about which you wish to notify users on whose computers such
events may occur;
b) In the Notify users group settings, select the checkbox next to

the notification methods that you want to configure.
Note
You can compose a single message text for several event
types: After you have selected a notification method for one
event type, select the other event types for which you want to
use the same message text using the <Ctrl> and <Shift> keys.
3. To compose the message text, click Message text in the desired set-
tings group and enter the text to be displayed in the event message in
the Message text dialog box.
To add fields with information on the event, click Macro... and select the
desired fields from the list of those available. Fields with information on
events are described in Table 16.
In order to restore the default text of the message for this event, press
the Default button.
4. To configure the administrator notification methods for selected events,
click Settings in the Notifications dialog box and configure the se-
lected methods in the Additional settings dialog box.
 For e-mail notifications, open the E-mail tab (see Figure 89) and
specify the e-mail addresses of the recipients (delimit addresses
with a semi-column), the name or network address of the SMTP
server, and the port in the appropriate fields. If necessary, specify
the text that will be displayed in the Subject and From fields. The
text in the Subject field can also include a field with information
about the event (see Table 16).
Figure 89. The Settings dialog box, E-mail tab
If you want to use user account authentication when connecting

with the SMTP server, select Require SMTP authentication in the
Authentication settings group and specify the name and pass-
word for the user whose user account will be authenticated.
 For notifications using Messaging Service, create a list of recipient
computers for the notifications on the Messaging Service tab (see
Figure 90). For each computer that you want to add, click the Add
button and enter its network name in the input field. Do not use an
IP address for computers in this field.
Figure 90. The Settings dialog box, Messaging Service tab
 To run an executable file, select the file on a local drive of the pro-
tected server that will be executed on the server triggered by the
event or enter the full path to it on the Executable file tab (see
Figure 91). Enter the username and password under which the file
will be executed.
Specifying the path to the executable file you can use system envi-
ronmental variables; you can not use user’s environmental va-
riables.
Figure 91. The Settings dialog box, Executable file tab
 If you want to limit the number of messages for one event type over
a period of time, on the Additional tab (see Figure 92), select from
Do not send the same notification more than and specify the
needed number of times and time span.
Figure 92. The Settings dialog box, Additional tab
5. Click the OK button.

Table 16. Field with information about events
Field Description
%EVENT_TYPE% Event type
%EVENT_TIME% Time that the event occurred
%EVENT_SEVERITY% Severity level
%OBJECT% Object name (in real-time protection and on-

demand scan tasks)
The Application module update task includes
the name of the update and the address of the
web page with information on the update.
Field Description
%VIRUS_NAME% Threat name according to Kaspersky Lab classi-

fication; included in the full name of the threat
that Anti-Virus returns (in real-time protection
and on-demand scan tasks)
%VIRUS_TYPE% Threat type according to Kaspersky Lab classifi-

cation; included in the full name of the threat that
Anti-Virus returns (in real-time protection and
on-demand scan tasks)
%USER_COMPUTER% In a Real-time file protection task, the comput-

er name for the user that accessed the object on
the server
%USER_NAME% In a Real-time file protection task, the name of

the user that accessed the object on the server
%FROM_COMPUTER% Name of the protected server where the notifica-

tion originated
%REASON% Reason event occurred (some events do not

have this field)
%ERROR_CODE% Error code (Events Internal error Tasks)
%TASK_NAME% Task name (only for events related to task per-

formance)
PART 2. MANAGING ANTI-
VIRUS FROM THE
COMMAND LINE
 Description of commands for administering Anti-Virus from the com-
mand prompt (see Chapter 16 on pg. 225);
 Description of return codes (see Chapter 17 on pg. 245).
CHAPTER 16. ANTI-VIRUS
COMMAND LINE
COMMANDS
You can perform basic Anti-Virus management commands from the command
line of the protected server if you included the Command line utility into the list
of installed features during Anti-Virus installation.
Using command line commands you can manage only those functions which are
accessible to you based on the rights assigned to you in Anti-Virus (for more
details about access to Anti-Virus functions refer to section 2.6.1 on pg. 35).
Some of Anti-Virus commands are executed in the synchronous mode that is if
control returns to the console only after the command is completed, other com-
mands are executed in the asynchronous mode: control returns to the console
immediately after the command is started.
In order to interrupt command execution in synchronous mode, press <Ctrl+C>.
Follow the following rules when entering Anti-Virus commands:
 enter modifiers and commands using upper and lower case;
 delimit modifiers with the space character;
 if the name of the file (folder) path to which you specify as the value of
the modifier contains the space character, provide the path to the file
(folder) in quotes, for example "C:\TEST\test cpp.exe";
 in the filename or path masks use only one placeholder and enter it only
at the end of the path to a folder to a file, for example
"C:\Temp\Temp*\", "C:\Temp\Temp???.doc", "C:\Temp\Temp*.doc".
The list of Anti-Virus commands is provided in Table 17.
Anti-Virus command return codes are listed in Chapter 17 on pg. 245.
Table 17. Anti-Virus commands
Command Description
KAVSHELL HELP (16.1) displays Anti-Virus command help
KAVSHELL START (16.2) starts Anti-Virus service
KAVSHELL STOP (16.2) stops Anti-Virus service
KAVSHELL SCAN (16.3) creates and launches an temporary on-demand

scan task with the scan scope and security set-
tings set by the command modifiers
KAVSHELL FULLSCAN starts the Scan My Computer system task

(16.4)
KAVSHELL TASK (16.5) starts/pauses/resumes/stops the selected task in

the asynchronous mode/returns the current task
status/task statistics
KAVSHELL RTP (16.6) starts or stops all real-time protection tasks
KAVSHELL UPDATE (16.7) starts Anti-Virus bases update task with settings
specified using command modifiers
KAVSHELL ROLLBACK rolls back bases to the previous version

(16.8)
KAVSHELL LICENSE (/ADD, manages keys

/DEL) (16.9)
KAVSHALL TRACE (16.10) enables or disables the tracking log, manages

settings of the tracking log
KAVSHELL DUMP (16.11) enables or disables the process memory dump in

case of abnormal termination of processes
KAVSHELL IMPORT (16.12) imports general Anti-Virus settings, functions, and

tasks from a configuration file created beforehand
KAVSHELL EXPORT (16.13) exports all Anti-Virus settings and existing tasks
to a configuration file
Anti-Virus command line commands 227
16.1. Displaying Anti-Virus command

help. KAVSHELL HELP
In order to obtain the list of all Anti-Virus commands, enter one of the following
commands:
KAVSHELL
KAVSHELL HELP
KAVSHELL /?
To see an overview of a command and its syntax, enter one of the following
commands:
KAVSHELL HELP <command>
KAVSHELL <command> /?
KAVSHELL HELP command examples
KAVSHELL HELP SCAN – view detailed information about com-
mand KAVSHELL SCAN.
16.2. Anti-Virus service startup or

shutdown. KAVSHELL START,
KAVSHELL STOP
In order to start Anti-Virus service use command KAVSHELL START.
Note
By default during Anti-Virus startup tasks Real-time file protection, Script mon-
itoring, Scan at the system startup and Application integrity control and
other tasks the schedule of which provides for the launch frequency At the ap-
plication startup will be started.
In order to stop Anti-Virus service use command KAVSHELL STOP.

16.3. Scanning selected area.

KAVSHELL SCAN
In order to start a task for scanning specific areas of the protected server use
command KAVSHELL SCAN. The task settings (scan scope and security set-
tings) are specified by the command modifiers.
The on-demand scan task launched using KAVSHELL SCAN command is a
temporary task. It is displayed in the Anti-Virus console in MMC only during its
execution (you cannot view task settings in the Anti-Virus console). The task
performance report is generated at the same time. It is displayed in the Report
node of the Anti-Virus console. As with on-demand scan tasks created in the
Anti-Virus console, policies of Kaspersky Administration Kit application can be
applied to tasks created and launched using SCAN command (Details about the
use of Kaspersky Administration Kit for managing Anti-Virus see Part 3 on pg.
251).
Command KAVSHELL SCAN is executed in the synchronous mode.
Specifying the paths in on-demand scan tasks, you can use environmental va-
riables. If you use environmental variable specified for user, execute KAVSHELL
SCAN command with the rights of this user.
In order to start an existing on-demand scan task created in the Anti-Virus con-
sole from the command line use KAVSHELL TASK (see 16.5 on pg. 233).
KAVSHELL SCAN command syntax
KAVSHELL SCAN [scan scope
/MEMORY|/SHARED|/STARTUP|/REMDRIVES|/FIXDRIVES|/MYCOMP]
[/L:< path to file with the list of scan scopes>]
[/F<A|C|E>] [/NEWONLY]
[/AI:<DISINFECT|DISINFDEL|DELETE|REPORT|AUTO>]
[/AS:<QUARANTINE|DELETE|REPORT|AUTO>] [/DISINFECT|/DELETE]
[/E:<ABMSPO>] [/EM:<”masks”>] [/ES:<size>] [/ET:<number of
seconds>] [/NOICHECKER][/NOISWIFT][/W:<path to report
file>] [/ALIAS:<task name alias>]
KAVSHELL SCAN command examples
KAVSHELL SCAN Folder4 D:\Folder1\Folder2\Folder3\
C:\Folder1\ C:\Folder2\3.exe “\\another server\Shared\”
F:\123\*.fgb /SHARED /AI:DISINFDEL /AS:QUARANTINE /FA
/E:ABM /EM:”*.xtx;*.fff;*.ggg;*.bbb;*.info” /NOICHECKER
/NOISWIFT /W:log.log
KAVSHELL SCAN /L:scan_objects.lst /W:report.log
Modifier Description
Scan scope. Mandatory modifier.
<files> Specifies the scan scope - the list of files, folders, net-
work paths and pre-defined areas.
<folders>
Specify network paths to the UNC format (Universal
<network path> Naming Convention).
In the following example folder Folder4 is specified with-
out a path - it is located in the folder from which you
launch command KAVSHELL:
KAVSHELL SCAN Folder4
/MEMORY Scan objects in RAM
/SHARED Scan shared folders on the server
/STARTUP Scan startup objects
/REMDRIVES Scan removable drives
/FIXDRIVES Scan hard drives
/MYCOMP Scan all areas of protected server
/L: <path to file with File name with the list of scan scopes including full path
the list of scan to the file.
scopes> Delimit scan areas in the files using line breaks. You can
specify pre-defined scan areas as shown as follows in
this example of a file with a scan scope list:
C:\
D:\Docs\*.doc
E:\My Documents
/STARTUP
/SHARED
Detectable objects (File types). If you do not specify values for this modifier,
Anti-Virus will scan objects by their format.
/FA Scan all objects
/FC Scan objects by format (by default). Anti-Virus scans only

objects format of which are included into the list of for-
mats of infectable objects.
/FE Scan objects by extension. Anti-Virus scans only objects

with extensions included into the list of extensions of in-
fectable objects.
/NEWONLY Scan only new and modified objects (for more details
about this setting see section A.3.2 on pg. 360). If you do
not provide this modifier, Anti-Virus will scan all objects.
/AI: Actions to be performed with infected objects. If you do not specify val-
ues for this modifier, Anti-Virus will only perform the Skip action.
DISINFECT Skip, delete if disinfection is not possible
DISINFDEL Disinfect, delete if disinfection is not possible
DELETE Delete
REPORT Report only
AUTO Perform the recommended action
/AS: Actions with suspicious objects (actions) If you do not specify values for
this modifier, Anti-Virus will perform the Skip action.
QUARANTINE Quarantine
DELETE Delete
REPORT Report only
AUTO Perform the recommended action
Exclusions
/E:ABMSPO Excludes composite objects of the following types:

A – archives;
B – e-mail databases;
M – plain mail;
S – SFX-archives;
P – packed objects;
O – embedded OLE objects.
/EM:<"masks"> Exclude files by mask.

You can specify several masks, for example,
EM:"*.txt;*.png; C\Videos\*.avi".
/ET:<number of Stop processing object if it continues longer than the

seconds> number of seconds specified by value <number of
seconds>
There is no time restriction by default.
/ES:<size> Do not scan compound objects larger than the size (in
MB) specified by value <size>
Anti-Virus scans all sizes of objects by default.
Additional settings (Options)
/NOICHECKER Disable the use of iChecker (enabled by default)
/NOISWIFT Disable the use of iSwift (enabled by default)
/ALIAS:<task alias> Enables you to assign an on-demand scan task a tempo-

rary name by which the task can be accessed during its
execution, for example in order to view its statistics using
TASK command. The task name alias must be unique
among the aliases of tasks of all functional components
of Anti-Virus.
If this modifier is not specified, temporary name
scan_<kavshell_pid> is used, for example scan_1234.
The task name is also assigned automatically as Scan
objects (<date and time>) for example Scan objects
8/16/2007 5:13:14 PM.
Report settings
/W:<path to report If you specify this modifier, Anti-Virus will save the task
file> report file with the named specified by the modifier's val-
ue.
The report file contains the task execution statistics, time
when it was started and completed (stopped) and infor-
mation about events in this task.
The report registers events specified by the settings of
the reports and event log in the Anti-Virus console (for
more details refer to section 13.2.7 on pg. 197).
You can specify either the absolute or the relative path to
the report file. If you specify only file name without speci-
fying path to it, then the report file will be created in the
current folder.
Restart of the command with the same settings of record
into the report will overwrite the existing report.
You can view the report file while the scan task is being
executed.
Report about the task is also displayed in the Report
node of Anti-Virus console.
If Anti-Virus fails to create the report file, it will not stop
the command from executing and will not display an error
message.
16.4. Starting the Scan my computer

task. KAVSHELL FULLSCAN
Use command KAVSHELL FULLSCAN in order to start the system on-demand
scan task Scan my computer with settings set in the Anti-Virus Console in
MMC.
Specifying the paths in on-demand scan tasks, you can use environmental va-
riables. If you use environmental variable specified for user, execute KAVSHELL
SCAN command with the rights of this user.
KAVSHELL FULLSCAN command syntax
KAVSHELL FULLSCAN [/W:<path to report file>]
KAVSHELL FULLSCAN command examples

KAVSHELL FULLSCAN /W:fullscan.log – perform the on-demand scan task
Scan my computer, save report about the task events in fullscan.log file in the
current folder.
file> report file with the named specified by the modifier's
value.
You can specify either the absolute or the relative path
to the report file. If you specify only file name without
specifying path to it, then the report file will be created in
the current folder.
into the report will overwrite the existing report with the
same name.
You can view the report file while the scan task is being
executed.
node of Anti-Virus console.
If Anti-Virus fails to create the report file, it will not stop
the command from executing and will not display an
error message.
16.5. Managing the specified task in

asynchronous mode.
KAVSHELL TASK
Using KAVSHELL TASK command you can manage the specified task: run,
pause, resume and stop the specified task and view the current task status and
statistics. The command is performed in asynchronous mode.
KAVSHELL TASK command syntax

KAVSHELL TASK [<task name alias> </START | /STOP | /PAUSE |
/RESUME | /STATE | /STATISTICS >]
KAVSHELL TASK command examples
KAVSHELL TASK
KAVSHELL TASK on-access /START
KAVSHELL TASK user-task_1 /STOP
KAVSHELL TASK scan-computer /STATE
Without modifiers Returns the list of all existing Anti-Virus tasks. The list
contains the following fields: alias, task category (sys-
tem, user-defined or group) and the current task status.
<task alias> Instead of the task name, in the SCAN TASK command,
use its Task alias, an additional short-form name that
Anti-Virus assigns to tasks. To view Anti-Virus task
aliases enter the command KAVSHELL TASK without
any modifiers.
/START Starts the specified task in asynchronous mode
/STOP Stops the specified task
/PAUSE Pauses the specified task
/RESUME Resumes the specified task in asynchronous mode
/STATE Returns the current task status (Running, Completed,

Paused, Stopped, Completed with an error, Starting,
Resuming)
/STATISTICS Retrieve task statistics - information on the number of

objects processed from the time the task started until
now
16.6. Starting and stopping real-time

protection tasks. KAVSHELL
RTP
Using the KAVSHELL RTP command you can start or stop all real-time protec-
tion tasks.
KAVSHELL RTP command syntax
KAVSHELL RTP {/START | /STOP}
KAVSHELL RTP command examples
KAVSHELL RTP /START – start all real-time protection tasks.
/START starts all real-time protection tasks.
/STOP stops all real-time protection tasks.
16.7. Starting Anti-Virus bases

update task . KAVSHELL
UPDATE
Using the KAVSHELL UPDATE command you can start the Anti-Virus bases
update command in the synchronous mode.
An Anti-Virus bases update task run using a KAVSHELL UPDATE command is a
temporary task. It is displayed in the Anti-Virus console in MMC only during its
execution. At the same time a report about the task execution is registered; it is
displayed in the Reports node of the Anti-Virus console. Kaspersky Administra-
tion Kit application policies may be applied to updating tasks created and
launched using the KAVSHELL UPDATE command and to the updating tasks
created in the Anti-Virus console. (for details about managing Anti-Virus on serv-
ers using Kaspersky Administration Kit, see Part 3 on pg. 251).
Specifying the path to the update source in this task, you can use environmental
variables. If you use user’s environmental variables, execute KAVSHELL
UPDATE command with the rights of this user.
In order to interrupt KAVSHELL UPDATE task execution, press <Ctrl+C>.

KAVSHELL UPDATE command syntax
KAVSHELL UPDATE < Path to update source | /AK | /KL>
[/NOUSEKL] [/PROXY:<address>:<port>] [/AUTHTYPE:<0-2>]
[/PROXYUSER:<user name>] [/PROXYPWD:<password>]
[/NOPROXYFORKL] [/USEPROXYFORCUSTOM] [/NOFTPPASSIVE]
[/TIMEOUT:<sec>] [/REG:<>] [/W:<path to report file>]
[/ALIAS:<task alias>]
KAVSHELL UPDATE command examples
KAVSHELL UPDATE – start a user-defined bases update task;
KAVSHELL UPDATE \\Server\bases – start the bases update task, update
files are stored in network folder \\Server\bases;
KAVSHELL UPDATE ftp://dnl-ru1.kaspersky-labs.com/
W:c:\update_report.log – start the update task from the folder on the
FTP-server ftp://dnl-ru1.kaspersky-labs.com/; record all task events into report
file c:\update_report.log.
KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080
/AUTHTYPE:1 /PROXYUSER:inetuser /PROXYPWD:123456 – download
Anti-Virus bases updates from Kaspersky Lab's update server; connect to the
updates sources via a proxy server (proxy server address: proxy.company.com,
port: 8080); use in-built Microsoft Windows authentication (NTLM-authentication)
under account (username: inetuser; password: 123456) to access the server.
Updates sources (mandatory modifier). Specify one or several sources. Anti-

Virus will contact the sources in the order they are listed. Delimit the sources
with a space.
<Path to the update User-defined update source. Path to the network folder
source> in the UNC format.
<URL> User-defined update source. HTTP server address on

which folder with updates is located.
<FTP> User-defined update source. FTP server address on

which folder with updates is located.
<Local update folder> User-defined update source. Folder on the protected

server.
/AK Kaspersky Administration Kit server as the update

source.
/KL Kaspersky Lab's update servers as the update sources.
/NOUSEKL Do not use Kaspersky Lab updating servers if other up-

date sources are not available (used by default)
Proxy server settings
/PROXY:<address>:< Network name or IP address of the proxy server and its

port> port. If you do not specify this modifier, Anti-Virus will
automatically detect settings of the proxy server used in
the local area network.
/AUTHTYPE:<0-2> This modifier specifies the authentication method for

access to the proxy server:
0 – in-built Microsoft Windows NTLM-authentication;
Anti-Virus will contact proxy server under the Local sys-
tem (SYSTEM) account;
1 – in-built Microsoft Windows NTLM-authentication;
Anti-Virus will contact proxy server under account with
login name and password specified by modifiers
/PROXYUSER and /PROXYPWD;
2 – authentication by login name and password specified
by specified modifiers /PROXYUSER and /PROXYPWD
(basic authentication).
If authentication is not required for accessing proxy
server, there is no necessity to specify this modifier.
/PROXYUSER:<user Username that will be used for accessing proxy server. If

name> you specify the value of modifier /AUTHTYPE:0, then
the /PROXYUSER:<user name> and
/PROXYPWD:<password> modifiers will be ignored.
/PROXYPWD:<passw Username that will be used for accessing proxy server. If

ord> you specify the value of modifier /AUTHTYPE:0, then
/PROXYUSER:<user name> и
/PROXYPWD:<password> modifiers will be ignored. If
you specify modifier /PROXYUSER and omit modifier
/PROXYPWD, the password will be considered to be
blank.
/NOPROXYFORKL Do not use proxy server settings for connecting with

Kaspersky Lab's update servers (used by default)
/USENOPROXYFOR Use proxy server settings for connecting with local up-
CUSTOM date sources. If not specified, value Do not use proxy
server settings to connect to the local update
sources. For more details about these settings see sec-
tion A.5.4.1 on pg. 384.
General FTP and HTTP server settings
/NOFTPPASSIVE If you specify this modifier, Anti-Virus will use the active
FTP server mode to connect to the protected server. If
you do not specify this modifier, Anti-Virus will use the
passive FTP server mode, if possible.
/TIMEOUT:<number FTP or HTTP server connection timeout. If you do not

of seconds> specify this modifier, Anti-Virus will use the default value:
10 sec. You can only use integers as the value for this
modifier.
/REG:<code iso3166> Regional settings. This modifier is used when receiving

updates from Kaspersky Lab's update servers. Anti-
Virus optimizes the downloading of updates to the pro-
tected server by selecting the update server closest to it.
As the value of this modifiers specify the literal code of
the location country of the protected server in accor-
dance with standard ISO 3166-1, for example /REG: gr
or /REG:RU. If you omit this code or specify the code of
a country that does not exist, Anti-Virus will detect the
location of the protected server based on the regional
settings of the computer on which Anti-Virus console is
installed (for Microsoft Windows 2003 Server and above
- by the value of variable Location).
/ALIAS:<task alias> This modifier will allow you to assign the task a tempo-
rary name by which you cold access it during its execu-
tion. For example you can view task statistics using the
TASK command. The task alias must be unique among
the task aliases of all functional components of Anti-
Virus.
If this modifier is not specified, the temporary name up-
date_<kavshell_pid> is used, for example scan_1234. In
the Anti-Virus console the task will be automatically as-
signed name Update-bases (<date time>), for example,
Update-bases 8/16/2007 5:41:02 PM.
file> report file with the named specified by the modifier's
value.
You can specify either the absolute or the relative path
to the report file. If you specify only file name without
specifying path to it, then the report file will be created in
the current folder.
into the report will overwrite the existing report with the
same name.
You can view the report file while the on-demand scan
task is being executed.
nodes of Anti-Virus console.
If Anti-Virus cannot generate a report file, it will not ter-
minate the commands and will not display an error mes-
sage.
16.8. Rollback of the Anti-Virus

bases update. KAVSHELL
ROLLBACK
Using the KAVSHELL ROLLBACK you can perform the Anti-Virus database
rollback system task - that is to roll back the Anti-Virus bases to the previously
installed version. The command is performed synchronously.
Command syntax:
KAVSHELL ROLLBACK
16.9. Installing and deleting keys.

KAVSHELL LICENSE
Using the KAVSHELL LICENSE command you can install and delete Anti-Virus
keys.
KAVSHELL FULLSCAN command syntax
KAVSHELL LICENSE [/ADD:<path to key
file> [/R] | /DEL:<serial number>]
KAVSHELL SCAN command examples
KAVSHELL LICENSE /ADD:С:/License.key – install key from the file
KAVSHELL LICENSE – view information about installed keys;
KAVSHELL LICENSE /DEL:0000-000000-00000001 – remove installed key
with serial number 0000-000000-00000001.
Without modifiers Command returns the list of installed keys. It contains

the following information about the key:
 serial number of the key;
 key type (beta, commercial, or trial);
 key expiration date;
 whether the key is a backup key. If the value speci-
fied is * the key is installed as the backup key.
/ADD:<path to key Installs key from a file path to which is specified by the
file> value of the /ADD modifier. Include the key file name
and the full path to it.
Specifying the path to the key you can use system envi-
ronmental variables; you can not use user’s environmen-
tal variables.
/R Key /R is an additional key to /ADD. It specifies that the

key being installed is the backup key.
/DEL:<serial number> deletes the key with serial number specified by the value
of /DEL.
16.10. Enabling, configuring and

disabling the tracking log.
KAVSHELL TRACE
Using the KAVSHELL TRACE command you can enable and disable the tracking
log of all Anti-Virus subsystems and set the log detail level "on the fly".
KAVSHELL TRACE command syntax
KAVSHELL TRACE </ON /F:<path to log file folder>
[/S:<maximum log size in megabytes>]
[/LVL:debug|info|warning|error|critical] | /OFF>
If the tracking log being maintained and you would like to change its settings,
enter the KAVSHELL TRACE command with modifier /ON and specify settings of
the log with values of modifiers /S and /LVL.
/ON Enables the tracking log.
/F:<folder with track- This modifier specifies full path to the folder in which the
ing log files> tracking log files will be saved (mandatory modifier).
If you specify a path to a non-existent folder, no tracking
logs will be created. You can specify network paths but
you cannot specify paths to folders on network drives of
the protected server.
If the name of the folder path to which you specify as the
value of the modifier contains the space character, pro-
vide the path to this folder in quotes, for example
/F:”C\Trace Folder”.
Specifying the path to the tacking log file you can use
system environmental variables; you can not use user’s
environmental variables.
/S: <the maximum log This modifier sets the maximum size of a single file of
file size in mega- the track log. As soon as the log file reaches the maxi-
bytes> mum level, Anti-Virus will start recording information into
a new file; the previous log file will be saved.
If you do not specify the value of this modifier, the max-
imum size of one log file will be 50 MB.
/LVL:<debug | info | This modifier sets the detail level of the log from the
warning | error | criti- maximum (debug information) which records all events
cal> into the log to the minimum (critical) which records only
critical events.
If you do not specify this modifier, then events with the
Debug information detail level will be recorded into the
log.
/OFF This modifier disables the tracking log.
KAVSHELL TRACE command examples:

KAVSHELL TRACE /ON /F:”C:\Trace Folder” /S:200 – enable keeping
the tracking log with detail level Debug information and the maximum log file
size of 200 MB, save the log file to folder C:\Trace Folder.
KAVSHELL TRACE /ON /F:”C:\Trace Folder” /LVL:warning – enable keeping the
tracking log with detail level Important events, save the log file to folder C:\Trace
Folder:
KAVSHELL TRACE /OFF – disable keeping the tracking log
16.11. Enabling and disabling dump

file creation. KAVSHELL DUMP
Using the KAVSHELL DUMP command you can enable or disable creation of
memory snapshots (dumps) of Anti-Virus processes in case of their abnormal
termination. Additionally you can take memory snapshots of the Anti-Virus
processes in progress at any time.
KAVSHELL DUMP command syntax
KAVSHELL DUMP [/ON {/F:<folder with dump files>}|/SNAPSHOT
{/F:< folder with dump files>} | /OFF]
KAVSHELL DUMP command examples
KAVSHELL DUMP /ON /F:”C:\Dump Folder” – enables you to create a
dump; saves a dump file into folder C:\Dump Folder;
KAVSHELL DUMP /SNAPSHOT /F:C:/Dumps /P:1234 – take a snapshot of
the memory of process with ID 1234 into folder C:/Dumps.
KAVSHELL DUMP /OFF – disable creation of dump.
/ON Enables creation of the process memory dump in case

of its abnormal termination.
{/F:<path to folder with This is a mandatory modifier. It specifies path to the

dump files>} folder in which the dump file will be saved. If you specify
a path to a non-existent folder, no dump files will be
created. You can use the network path to the folder, but
you cannot use a network drive.
Specifying the path to the dump file you can use system
environmental variables; you can not use user’s envi-
ronmental variables.
/SNAPSHOT Takes a snapshot of the memory of the specified Anti-

Virus process in progress and saves the dump file into
the folder the path to which is specified by modifier /F.
/P PID process identifier is displayed in the Microsoft Win-

dows Task Manager.
/OFF Disables creation of the process memory dump in case

of its abnormal termination.
16.12. Importing settings.

KAVSHELL IMPORT
Using the KAVSHELL IMPORT command, you can import Anti-Virus settings,
functions, and tasks from a configuration file to Anti-Virus on the protected serv-
er. You can create a configuration file using the KAVSHELL EXPORT command.
Command syntax for KAVSHELL IMPORT
KAVSHELL IMPORT <name of config file and path to file>
Examples of the KAVSHELL IMPORT command
KAVSHELL IMPORT Server1.xml
<name of config file Name of the configuration file used to import settings.
and path to file> Specifying path to the file you can use system environ-
mental variables; you can not use user’s environmental
variables.
16.13. Exporting settings.

KAVSHELL EXPORT
Using the KAVSHELL EXPORT command, you can export all Anti-Virus settings
and existing tasks to a configuration file in order to later import them into Anti-
Virus on other servers.
Command syntax for KAVSHELL EXPORT
KAVSHELL EXPORT <name of config file and path to file>
Examples of the KAVSHELL EXPORT command
KAVSHELL EXPORT Server1.xml
<name of config file Name of the configuration file in which the settings will
and path to file> be saved
You can assign any extension to the configuration file.
Specifying path to the file you can use system environ-
mental variables; you can not use user’s environmental
variables.
CHAPTER 17. RETURN CODES
The following tables describe the return codes for Anti-Virus commands.
Return code for the commands KAVSHELL SCAN and KAVSHELL

FULLSCAN
Return code Description
0 Operation completed successfully
1 Operation canceled
-2 Service not running
-3 Permissions error
-4 Object not found (will with list of scan scopes not found)
-5 Invalid command syntax scan scope not defined
-80 Infected objects found
-81 Suspicious objects found
-82 Processing errors detected
-83 Unchecked objects found
-84 Corrupted objects found
-99 Unknown error
-301 Invalid license key
Return code for the commands KAVSHELL START and KAVSHELL STOP
-5 Invalid command syntax

-6 Invalid operation (for example, the Anti-Virus service is al-

ready running or already stopped)
-7 Service not registered
-8 Service is forbidden to start
-9 Attempt to start server under another user account failed

(by default the Anti-Virus service runs under the SYSTEM
user account).
-99 Unknown error
Return codes for the command KAVSHELL TASK
-4 Object not found (task not found)
-6 Invalid operation (for example, task not running, already

running, or cannot be paused)
-99 Unknown error
401 Task not running (for modifier /STATE)
402 Task already running (for modifier /STATE)
403 Task already paused (for modifier /STATE)
-404 Error executing operation (change in task status led to it

crashing)
Return codes 247
Return codes for the command KAVSHELL LICENSE
-3 Insufficient privileges to perform operation
-4 Object not found (modifier with specified serial number not

found)
-6 Invalid operation (license key not installed)
-99 Unknown error
-303 License key is for a different application
Return codes for the command KAVSHELL UPDATE
200 All objects are up-to-date (database or program compo-

nents are current)
-99 Unknown error
-206 Extension files are missing in the specified source or have

unknown format
-209 Error connecting to the update source
-232 Anti-Virus was not authenticated when connecting to the

proxy server
-234 Error connecting to Kaspersky Administration Kit

-235 Anti-Virus was not authenticated when connecting to the

update source
Return codes for the command KAVSHELL ROLLBACK
-99 Unknown error
-221 Backup copy of database not found or corrupted
-222 Backup copy of database corrupted
Return codes for the command KAVSHELL RTP
-4 Object not found (one of the real-time protection tasks or all

real-time protection tasks not found)
-6 Invalid operation (for example, the task is already running

or already stopped)
-99 Unknown error

Return codes 249
Return codes for the command KAVSHELL DUMP
-4 Object not found (path specified as path to the dump file

folder not found; process with specified PID not found)
-6 Invalid operation (attempt of KAVSHELL DUMP/OFF ex-

ecution if dump file creation is already disabled)
-99 Unknown error
Return codes for the command KAVSHELL TRACE
-4 Object not found (path specified as path to the Tracking

logs folder not found)
-6 Invalid operation (attempt of KAVSHELL TRACE/OFF ex-

ecution if write traces is already disabled)
-99 Unknown error
Return codes for the command KAVSHELL IMPORT
-4 Object not found (importable configuration file not found)
-5 Invalid syntax
-99 Unknown error
501 Operation completed successfully; however, while execut-

ing the command and error/comment was generated. For
example, Anti-Virus did not import the settings of one of the
functional components
-502 File being imported is missing or has an unrecognized for-

mat
-503 Incompatible settings (configuration file exported from a

different application or a later and incompatible version of
Anti-Virus)
Return codes for the command KAVSHELL EXPORT
-5 Invalid syntax
-10 Unable to create a configuration file (for example no access

to the folder specified in the path to the file)
-99 Unknown error
501 Operation completed successfully, however an er-

ror/comment occurred during the command execution, for
example, Anti-Virus did not export parameters of some
functional component
PART 3. CONFIGURING AND
MANAGING APPLICATION
USING KASPERSKY
ADMINISTRATION KIT
If your organization uses Kaspersky Administration Kit for centralized manage-
ment of the Anti-Virus applications, you can control the Anti-Virus on the pro-
tected servers and configure it using the Kaspersky Administration Kit Adminis-
tration Console.
 Managing Anti-Virus and viewing its status (see Chapter 18 on pg. 252);
 Creating and configuring policies (see Chapter 19 on pg. 261);
 Configuring Anti-Virus in the Application settings dialog box see
Chapter 20 on pg. 274);
 Creating and configuring tasks (see Chapter 21 on pg. 303).
CHAPTER 18. MANAGING ANTI-
VIRUS AND VIEWING ITS
STATUS

 starting and stopping the Anti-Virus service (18.1 on pg. 252);
 viewing the server protection status (see 18.2 on pg. 253);
 viewing the Anti-Virus statistics (see 18.3 on pg. 255);
 viewing the Anti-Virus details (see 18.4 on pg. 257);
 viewing information about installed keys (see 18.5 on pg. 258).
18.1. Starting and stopping the Anti-

Virus service
The Anti-Virus service starts automatically at the operating system startup. This
service is used to control the processes in which real-time protection, on-demand
scan and updating tasks are executed.
By default when the Anti-Virus services is started, tasks Real-time file protec-
tion, Script Monitoring, Scan at the system startup and Application integrity
control as well as other tasks that are scheduled to start At the application
start will be started.
If you stop the Anti-Virus service, execution of all tasks will be terminated. After
you restart the Anti-Virus service, the terminated tasks will not be resumed au-
tomatically. Only those tasks scheduled to start At the application startup will
be restarted.
In order to start or stop the Anti-Virus service:
1. In the Administration Console tree open the Groups node and select
the group including the protected server.
2. In the results panel open the context menu of the line containing infor-
mation about the protected server and select its Properties.
Managing Anti-Virus and viewing its status 253
3. In the Properties: <computer name> dialog use the Applications tab

to select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise
Edition in the list of installed applications and press the Properties but-
ton.
4. In the Application settings dialog open the General tab.
 in order to start the Anti-Virus service, press the Start button;
 in order to stop the Anti-Virus service, press the Stop button.
18.2. Viewing the server protection

status
You can view the protection status of the selected server in the Administration
Console: the status of the Real-time file protection and the Script Monitoring
tasks, the overall status of the server from the point of view of the Anti-Virus se-
curity and its accessibility.
In order to view the protection status of the selected server:
1. Expand the Groups node in the Administration Console tree and select
a group to which the protected server belongs.
2. In the result panel right-click the line with the information about the pro-
tected server and select Properties.
3. Switch to the Protection tab in the <Computer name> Properties di-
alog box that will open (see Figure 93).
Figure 93. The <Computer name> Properties dialog box, the Protection tab
The Protection tab displays the following information about the protected server:
Field Description
Real-time protec- Displays the real-time protection status - Enabled - if the

tion status Real-time file protection or the Script monitoring task is
enabled.
If the Real-time protection task is enabled, the real-time
protection status reflects the security level used in the task.
 Recommended – the security settings used by the task
match the pre-defined Recommended level;
 Maximum protection – the security settings used by
the task match the pre-defined Maximum protection
level;
 Maximum speed – the security settings used by the
task match the pre-defined Maximum speed level;
 User-defined– the security settings used by the task
match the Other security level.
For more information about pre-defined security levels see

6.2.2.1 on pg. 71.
Last full scan Date and time of the last execution of an on-demand scan
date that has the "full computer scan task" status.
Viruses found The total number of malware programs (names of threats)

detected on the protected server (counter of detected
threats) since the moment when the Anti-Virus was in-
stalled or since the moment the counter was last reset. In
order to reset a counter, press the Reset the threat coun-
ter button.
Computer status The server status from the Anti-Virus security point of view.
For more details about computer statuses refer to the Kas-
persky Lab's Technical Support website, Article code 987.
18.3. Viewing the Anti-Virus

statistics
You can view the following statistical information about the Anti-Virus on the se-
lected protected server in the Administration Console: the number of Anti-Virus
processes, number of records in the Anti-Virus bases installed, creation date of
the latest bases updates installed and the information about the operation of in-
dividual functional components of the Anti-Virus and about task execution.
Note
If you wish to view Anti-Virus statistics in real-time, open port UDP 15000 in
Windows firewall of the computer on which the Administration server is installed.
In order to view the Anti-Virus statistics:

2. Right-click the line with the information about the protected server in the
result panel and select Properties.
3. Select Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise
Edition in the list of installed Anti-Virus applications on the Applica-
tions tab of the Computer Settings (Properties) dialog box and press
the Statistics button. The Statistics dialog box will open (see Figure
94).
Figure 94. The Statistics dialog box
Field Description
Database release time UTC (Coordinated Universal Time) date and time of
(UTC) the creation of the latest installed bases update by
Kaspersky Lab.
Number of active The number of Anti-Virus processes currently used

processes to execute real-time protection, on-demand scan
and updating tasks
Database records The total number of records in the Anti-Virus bases

count installed on the server
Quarantine statistics Information about the current quarantine status (for

more details see 11.9 on pg. 171)
Real-time file protec- Information about the Real-time file protection task
tion statistics (for details see 6.3 on pg. 83)
Blocking access to the Information on the number of computers whose

server statistics access to the protected server has been blocked
since the last time Anti-Virus was started (for more
details, see 7.9 on pg. 97).
On-demand scan sta- Information about the Real-time file protection task
tistics (for details see 9.4 on pg. 133)
Script monitoring sta- Information about the number of scripts processed

tistics by the Anti-Virus since the moment the Script moni-
toring task was started until the current moment (for
details see 6.5 on pg. 86)
Backup statistics Information about the current backup storage status

(for more details see 12.6 on pg. 183).
Note
Information about task Real-time file protection, Script monitoring and on-
demand scan tasks will be displayed only while the corresponding task is being
performed
18.4. Viewing Anti-Virus details

You can view information about the Anti-Virus and its bases.
To view information about the Anti-Virus:
ton.
4. In the Application settings dialog open the General tab.
The following is displayed on the General tab (see Figure 103):
 general information about the Anti-Virus:
 version number;
 installation date and time;
 date and time of the last Anti-Virus modules update;
 Anti-Virus service status (started/stopped);
 information about the Anti-Virus bases:

 date and time of the creation of the bases updates installed (in the
format specified in the regional settings of the computer on which
the Administration Console is installed);
 the total number of records in the Anti-Virus bases;
 date and time of the latest update.
18.5. Viewing information about

installed keys
In order to view information about the installed keys:
ton.
4. In the Application settings dialog open the Licenses tab (see Figure
95).
Figure 95. The Application Settings dialog box, the Licenses tab
The following Information about installed keys will be displayed on the License
tab:
Field Description
Serial number Key serial number
Type Key type (for beta testing, trial or commercial key). For
more details about key types refer to section 14.1 on pg.
209).
Activation date Key installation date (only for active keys)
Expiration date The key expiration date is calculated by Anti-Virus after the
key installation (only for active keys); it is the date of the
expiration of the key validity period since the moment of its
activation, but not later than the date on which the key be-
comes invalid.
License period Days remaining before the license key expires.
Limit computer Restrictions provided for by the key (if any)

count
CHAPTER 19. CREATING AND
CONFIGURING POLICIES

 about policies (see 19.1 on pg. 261);
 creating a policy (see 19.2 on pg. 262);
 configuring a policy (see 19.3 on pg. 268);
 disabling schedules for launching local system tasks (see 19.4 on pg.
272).
19.1. About policies

You can create global Kaspersky Administration Kit policies for managing protec-
tion on several servers where Anti-Virus is installed.
The Policy enforces the Anti-Virus settings, functions and tasks specified in it on
all the protected servers for one administration group.
Note
You cannot create protection/scan scopes using policies in the Real-time file
protection and on-demand scan tasks.
You can create several policies for one administration group and enforce them in
turns. In the Administration Console, the policy currently active for a group has
the status active.
Information on policy enforcement is logged in the Anti-Virus system audit log.
You can view it in the Anti-Virus console in MMC under the System audit log
node.
Of all the methods for enforcing policies, you can only use the Do not modify
settings method, which does not involve saving values of the settings deter-
mined by the policy in Anti-Virus. You cannot use Enforce mandatory settings
or Enforce all settings policy enforcement methods.
Using the Do not modify settings policy enforcement method, Anti-Virus will
enforce the settings that you selected while the policy is active instead of the
values for those settings in place before the policy is enforced. Anti-Virus will not
enforce the settings with their checkbox select in the policy properties. After the
policy is no longer active, the values replaced by the policy will take values used
before the policy was enforced.
While the policy is active, the settings in the Application settings dialog box of
Administration Console marked with the icon in the Anti-Virus console in MMC;
are locked for editing. The remaining settings (which are marked with the icon
in the policy) can be edited in the Anti-Virus console in MMC and the Applica-
tion settings dialog box in Administration Console.
If the policy defines settings for any of the real-time protection tasks and such
task is not running, the settings determined by the policy will be enforced imme-
diately. If the task is not running, the settings will be enforced after it is started. If
the policy defines settings for other Anti-Virus tasks, those settings will not be
applied in tasks currently running when the policy becomes active and will be
enforced the next time the task is run.
19.2. Creating a policy

The process of creating a policy involves two steps:
1. You create a policy using a policy creation wizard. Using the windows of
the wizard, you can configure settings for Bases Updating, Applica-
tion Modules Updating, Real-time File Protection, and On-demand
Scan tasks.
2. Using Policy Properties dialog box you can configure settings of the
remaining tasks and the Anti-Virus settings.
Using dialog box Policy Properties you can modify settings of the up-
dating task, on-demand scan tasks and the Real-time file protection
tasks configured using the policy creation wizard. For details on the
configuring a policy that you have created, see 19.3 on pg. 268.
In order to create a policy for a group of servers on which the Anti-Virus is in-
stalled:
1. Expand the Groups node in the Administration Console tree, then ex-
pand the administration group for the servers of which you wish to
create a policy.
2. Select command Create  Policy from the shortcut menu of nested
node Policies.
This will open a policy creation wizard window.
3. Enter the name for the policy being created in the entry field of the Poli-
cy name window. (The name cannot contains the following characters “
* < : > ? \ / |).
Creating and Configuring Policies 263

Edition under heading Application in the Applications window.
5. Select one of the following statuses of the policy in the Create policy
window:
 Active, if you wish that the policy is applied immediately after it is
created. If an active policy already exists in the group, this existing
policy will become inactive and the policy you are creating will be
activated.
 Inactive, if you do not wish to apply a policy you are creating im-
mediately. In this case you will be able to activate the policy at a
later time.
Using the windows of policy creation wizard configure settings for
Bases Updating, Application Modules Updating, Real-time File Pro-
tection and On-demand Scan tasks based on your requirements.
6. In the Real-time file protection window (see Figure 96), select the ob-
ject protection mode for Real-time file protection tasks and select one
of the preset security levels or configure the security settings manually
(A.3 on pg. 359).
Check the Apply trusted zone flag if for Real-time file protection task
you wish to exclude objects, described in the Anti-Virus trusted zone,
from the scan scope (for more details about trusted zone see section
8.1 on pg. 99; for more details about adding exclusions to the trusted
zone in Kaspersky Administration Kit see section 20.7 on pg. 296).
Figure 96. The Real-time file protection window
7. In the On-Demand Scan window (see Figure 97), select one of the pre-
set security levels or configure the security settings manually in the on-
demand scan tasks(A.3 on pg. 359).
Check the Apply trusted zone flag if for on-demand scan tasks you
wish to exclude objects, described in the Anti-Virus trusted zone, from
the scan scope (for more details about trusted zone see section 8.1 on
pg. 99; for more details about adding exclusions to the trusted zone in
Kaspersky Administration Kit see section 20.7 on pg. 296).
Figure 97. The On-demand scan window
8. In the Update dialog box (see Figure 98) configure settings for the Ap-
plication Databases Update and Application Modules Update.
9. Perform the following actions in the Settings dialog box:
a) select an update source (see A.5.1 on pg. 381);
Figure 98. The Update dialog box
b) Press the LAN settings button. Configure the required connection

settings in the Connection Settings dialog box:
o change the FTP server mode for the connection with the pro-
tected server and the connection timeout value (see A.5.2 on
pg. 382);
o configure the proxy server access settings for connecting to
the update source (see A.5.4 on pg. 383);
o specify the location of the protected server(s) on the Regional
Settings tab to optimize downloading of the updates (see
A.5.5 on pg. 387).
c) in order to configure settings of the Application modules update
task press the Settings button under heading Application mod-
ules update and configure the settings of the application modules
updating in the Application Modules Update Configuration di-
alog box (see Figure 99):
o select whether you want the task to download and install the
application module updates or only check if updates are avail-
able. (See A.5.6.1 on pg. 388);
Figure 99. The Product modules update settings dialog box
o If you want Anti-Virus to automatically restart the server upon

completion of the task (if this is required in order to apply the
installed application modules), check the Allow system re-
boot box.
o If you want to obtain information about Anti-Virus module up-
grades, select Receive information about available applica-
tion modules updates.
Kaspersky Lab does not publish upgrade packages on update
servers for automatically download, but you can download
them yourself from the Kaspersky Lab website. You can confi-
gure administrator notifications about event Anti-Virus mod-
ule routine update available containing the address of the
Kaspersky Lab site where you can download scheduled up-
dates (for more information on configuring notifications, see
15.2 on pg. 216).
Note
Settings of the Updates distribution task can be configured a later
time in the Policy Properties dialog box.
10. Press the Finish button in the final window.

The policy created will be displayed in the list of policies provided in the Pol-
icies node of the selected administration group. Now you can configure oth-
er settings of the Anti-Virus, its functions and tasks in the Policy Properties
dialog box.
19.3. Configuring a policy

You can configure general Anti-Virus setting of the Anti-Virus, settings its func-
tions and tasks for the administration group servers in the Properties dialog box
of the existing policy.
Note
You cannot create a protection (scan) area for the Real-time file protection task
and on-demand scan tasks using a policy.
In order to configure settings in the Policy Properties dialog box:

pand the administration group the policy settings of which you wish to
configure, then expand nested node Policies.
2. Right-click the policy the settings of which you wish to configure and se-
lect Properties.
3. Configure the required policy settings in the <Policy name> Properties
dialog box (see Figure 100).
Figure 100. An example of the Policy Properties dialog box
You can configure the policy settings using the following tabs:
Settings Tab
Security settings in the Real-time file pro- Real-time file protection

tection task:
 protection mode (see setting description
in section A.3.1 on pg. 359);
 security settings (common for the entire
protection area): you can select a pre-
defined security level (see description in
section 6.2.2.1 on pg. 71) or configure
security settings manually (as well as the
MMC console - see instructions on pg.
75).
Settings Tab
 settings of automatic access blocking Blocking access from comput-

from computers (see instructions on pg. ers
281);
 excluding computers from blocking
(Trusted computers) (see instructions on
pg. 282);
 preventing virus outbreaks (see instruc-
tions on pg. 283).
 Allowed or blocked execution of suspi- Script monitoring

cious scripts (please refer to section 6.1
on pg. 62 for details about the option);
 Trusted zone use (please refer to Chapter
8 on pg. 99 for details).
 Managing the list of trusted processes Trusted zone

(same as in dialog box Application set-
tings, see section 20.7 on pg. 296);
 disabling real-time protection of files, ac-
cessed using backup copying operations
(same as in the Application settings di-
alog box, see section 20.7.2 on pg. 298);
 creation and application of the trusted
zone exclusions (see section 20.7 on pg.
296).
Security settings in the on-demand scan On-demand scan

tasks (common for the entire protection
area): you can select a pre-defined security
level (see description in section 9.2.2.1 on
pg. 120) or configure the security settings
manually (same as in the MMC console -
see instructions on pg. 124)
Settings Tab
 Settings of updating tasks Updating Update

Bases and Updating Application
 select the update source (for more details
about this setting refer to A.5.1 on pg.
381);
 configure the update source connection
settings and specify location of the pro-
tected server for optimization of the up-
dates (the Configure LAN button) (same
as in the MMC console, see instructions
on pg. 147);
 configure settings of the Application
module update task (the Configure but-
ton) (same as in the MMC console, see
instructions on pg. 150);
Updates distribution task settings Updates distribution

 select the update source (for more details
about this setting refer to A.5.1 on pg.
381);
 configure the update source connection
settings and specify location of the pro-
tected server for optimization of the up-
dates (the Configure LAN button) (same
as in the MMC console, see instructions
on pg. 147);
 configure settings of the Downloading
updates task (same as in the MMC con-
sole, see instructions on pg. 161.
Disabling actions of the system task sche- System tasks

dule (see 19.4 on pg. 272)
Quarantine settings Quarantine
Backup storage settings Backup
General Anti-Virus settings Enforcement and Additional
Configuring notifications about the Anti-Virus Notification

events to be sent to the administrator and
the users
Settings Tab
Configuring reports Reports
Configuring notifications about the Anti-Virus Events

events to be sent to the administrator and
the users
4. After you have configured the required policy settings, press the OK
button to save changes.
19.4. Disabling / resuming scheduled

launch of local predefined
tasks
Using policies you can disable the scheduled launch for the following local prede-
fined tasks for all servers of the same administration group:
 Real-time file protection;
 Script monitoring;
 on-demand scan tasks Scan My Computer, Scan Quarantine, Scan
at the System Startup and Application integrity control;
 updating tasks Application Bases Update, Application Modules Up-
date and Updates distribution.
Note
If you exclude the protected server from the administration group, the system
task schedule will be automatically disabled.
In order to disable the scheduled launch of the Anti-Virus system task on the
group's servers:
1. Expand the Groups node in the Administration Console, expand the re-
quired group and select the Policies node in it.
2. Right-click the policy name, using which you wish to disable the sche-
duled launch of Anti-Virus predefined tasks on the group's servers, in
the results panel and select Properties.
3. Open the Predefined tasks tab in the Policy Properties dialog box
(see Figure 101).
Figure 101. The Properties dialog box, the Predefined tasks tab
4. Uncheck the box next to the name of the system task whose scheduled
launch you wish to disable.
In order to re-enable the system task schedule, check the box next to its
name.
Note
If you disable the scheduled launch of predefined tasks, you can launch them
manually either from the Anti-Virus console in MMC or from the Kaspersky Ad-
ministration Kit administration console.
CHAPTER 20. CONFIGURING
ANTI-VIRUS IN THE
APPLICATION SETTINGS
DIALOG BOX

 configuring Anti-Virus settings (see 20.2 on pg. 276);
 blocking access from computers (see 20.3 on pg. 279);
 managing quarantined objects and configuring the quarantine settings
(see 20.4 on pg. 288);
 managing objects stored in Backup and configuring Backup settings
(see 20.5 on pg. 291);
 configuring notifications about the Anti-Virus events to be sent to the
administrator and the users (see 20.6 on pg. 293);
 managing the trusted zone (see 20.7 on pg. 296).
To learn how to open the Application settings dialog box see 20.1 on pg. 274.
20.1. The Application Settings dialog

box
Using the Application Settings dialog box you can perform remote manage-
ment of the Anti-Virus or configure it on the selected protected server.
In order to open the Application Settings dialog box:
Edition in the list of installed applications (see Figure 102) on the Ap-
Configuring Anti-Virus in the Application Settings Dialog BOx 275
plications tab of the <Computer name> Properties dialog box and

press the Properties button.
Figure 102. The list of Anti-Virus applications in the <Computer name> Properties dialog
box
An Application Settings dialog box will open (see Figure 103).

Figure 103. The Application Settings dialog box, the General tab
Note
While the Kaspersky Administration Kit policy is active, the settings marked with
the icon in the Application settings dialog box of Administration Console are
locked for editing.
20.2. Configuring general Anti-Virus

settings
In order to configure general Anti-Virus settings:
1. Open the Application Settings dialog box (see 20.1 pg. 274).
Change general Anti-Virus settings on the following tabs to meet your
needs.
 On the Performance tab (see Figure 104):
o Specify the maximum number of processes that Anti-Virus can

run (see A.1.1 on pg. 340);
o Specify the fixed number of processes to run real-time protec-
tion tasks (see A.1.2 on pg. 341);
o Specify the maximum number of processes for background on-
demand scan tasks (see A.1.3 on pg. 342);
o Specify the number of task recovery attempts after their ab-
normal termination (see A.1.4 on pg. 343);
Figure 104. The Application Settings dialog box, the Performance tab
 Perform the following on the Additional tab (see Figure 105):

o specify whether you want the Anti-Virus icon to be displayed in
the server task notification area each time when Anti-Virus au-
tomatically restarts after the server restart (for more details
about Anti-Virus icon see section 2.4 on pg. 32).
o Specify how many days summary and detailed task perfor-

mance reports will be saved as displayed in the Anti-Virus
console in MMC in the Reports nodes (see A.1.5 on pg. 344);
o Specify how many days information will be saved as displayed
in the Anti-Virus console in MMC in the System audit log
nodes (see A.1.6 on pg. 344);
o Specify the Anti-Virus actions when the server is running on an
uninterruptible power supply (see A.1.7 on pg. 345);
o specify the maximum number of days after which events Data-
base is obsolete, Database is outdated, Full computer scan
has not been performed for a long time (see A.1.8 on pg. 346)
will be triggered;
Figure 105. The Application Settings dialog box, the Additional tab
 On the Malfunction diagnostics tab (see Figure 106):

o enable or disable the writing to traces; if writing to traces is
enabled, configure the log settings (see A.1.9 on pg. 346);
o enable or disable creation of Anti-Virus process memory dump

files (see A.1.10 on pg. 351).
Figure 106. The Application settings dialog box, Malfunction diagnosis tab
2. After you have configured the required Anti-Virus settings, press the OK
button.
20.3. Blocking access from

computers
You can manage blocking access from computers and prevention of virus out-
breaks in the Application settings dialog box (for more details see section 7.1
on pg. 87).
You can perform the following operations:
 enable or disable automatic blocking from computers (see 20.3.1 on pg.
280);
 configure settings of blocking access from computers (see 20.3.2 on pg.

281);
 add computers to the list of computers excluded from blocking (see
20.3.3 on pg. 282);
 enable automatic switching to a higher security level if the number of
blocked computers reaches the threshold value (function Prevention of
virus outbreaks) (see 20.3.4 on pg. 283);
 view the access blocking list (see 20.3.5 on pg. 285);
 manually block access from computers (see 20.3.6 on pg. 286);
 open access from computers (see 20.3.7 on pg. 287).
20.3.1. Enabling or disabling automatic

blocking of access from computers
For more details about the function automatic blocking of access from computers
refer to section A.4.1 on pg. 375.
Note
If you enable a function of automatic blocking of access from computers, it will be
enabled only when the Real-time file protection task is running.
In order to enable or disable the function of blocking access from computers :

1. Open the Application Settings dialog box (see section 20.1 on pg.
274).
2. Perform one of the following actions on the Blocking access from
computers tab (see Figure 107):
 in order to enable the function of automatic blocking from comput-
ers check the Enable blocking the access from computers to
the server box;
 in order to disable the function of automatic blocking from comput-
ers uncheck the Enable blocking the access from computers to
the server box.
Figure 107. The Application Settings dialog box, tab Blocking access from computers
20.3.2. Configuring settings of automatic

access blocking from computers
In order to configure settings of automatic access blocking from computers
1. Open the Application Settings dialog box (see 20.1 on pg. 274).
2. Switch to the Blocking access from computers tab and make sure
that the Enable blocking the access from computers to the server is
checked (see A.4.1 on pg. 375).
3. In the Actions on computer settings group select actions that the Anti-
Virus will perform if a computer attempts to write an infected or a suspi-
cious object on the server (see A.4.2 on pg. 376).
 If you selected Block access from computer to the server, speci-
fy a time period for which you wish to block access from the speci-
fied computers to the server in days, hours or minutes.
 If you selected Run executable file, press the list button in

the Executable file dialog box (see Figure 108), specify the ex-
ecutable file (name and full path to it) and the account under which
the file will be executed.
Figure 108. The Executable file dialog box
4. Press the OK button in the Application Settings dialog box.
20.3.3. Excluding computers from blocking

(Trusted computers)
In order to add computers to the list of computers excluded from blocking (see
A.4.3 on pg. 377):
that the Enable blocking the access from computers to the server
box is checked (see A.4.1 on pg. 375).
3. Check the Do not block specified computer box in the Trusted com-
puters settings group and perform the following actions:
a) Press the Add button and specify the computer in the Blocking
access from computers dialog box (see Figure 109). Perform one
of the following actions:
o select Use network computer name and specify the comput-
er's NetBIOS name;
o specify the unique IP address: select Use network IP address

or enter the computer's IP address;
o specify the range of IP addresses: select Use IP address
range. Enter first IP address of the range in the IP address
field and the last IP address in the End IP address field. All
computers whose IP addresses are within the specified range
will be treated as trusted computers.
Figure 109. The Add Computer dialog box
b) Press the OK button.

20.3.4. Preventing virus outbreaks

You can use the Virus outbreak prevention function - when this function is dis-
ables Anti-Virus will automatically increase the security level when the number of
blocked computers reaches the threshold value.
Description of Virus outbreak prevention is provided in A.4.4 on pg. 378.
In order to enable / disable the Virus outbreak prevention function:
that the Enable blocking the access from computers to the server
box is checked.
3. Press the Additional button.
4. Perform one of the following actions in the Additional dialog box (see
Figure 110).
 In order to enable the Virus outbreak prevention function:
a) check the Increase security level if the number of comput-
ers exceeds box;
b) indicate the number of blocked computers in the blocking list
that, when reached, would cause the Anti-Virus to switch to the
higher security level;
c) enable or disable the function of the restoring the security level
once the number of computers access from which to the server
is blocked decreases and reaches the specified value. Specify
the number of computers in the Restore security level if the
number of computers is lower than … field.
 In order to disable the Virus outbreak prevention function, uncheck
the Increase security level if the number of computers exceeds
box.
Figure 110. The Additional dialog box

20.3.5. Viewing the server access blocking

list
Attention!
Computers that are in the server blocking list are not allowed to access the pro-
tected server only when the Real-time file protection task is running and the au-
tomatic access blocking feature is enabled.
In order to view the list of computers access from which to the protected server is
currently blocked:
2. Press the Blocking list button on the Blocking access from computers
tab (see Figure 111).
Figure 111. The Blocking list of server access dialog box
The Blocking list of server access dialog box contains the following informa-
tion on computers that currently are blocked from accessing the protected server:
Field Description
Computer Information about the computer in the blocking list ob-

tained by Anti-Virus (network name, IP address)
Blocking date Date and time when the access from a computer was
blocked; it is displayed using the format specified by the
Microsoft Windows regional settings of the computer on

which the Administration Console is installed.
Blocking end date Date and time when the computer will be unblocked; it is
displayed using the format specified in the Microsoft Win-
dows regional settings of the computer on which the Ad-
ministration Console is installed.
20.3.6. Manually blocking access from

computers
If you have information that any computer in the local network is infected, you
can temporarily block access from it to the protected server:
Attention!
Computers that are in the server blocking list are not allowed to access the pro-
tected server only when the Real-time file protection task is running and the au-
tomatic access blocking feature is enabled.
In order to block access from a computer to the server:

2. Press the Blocking list button on the Blocking access from computers
tab.
3. Press the Block computer button in the Blocking dialog box.
4. Using the Blocking access from computer dialog box (see Figure
112) specify the network name of the computer access from which you
wish to block.
Note
In the Computer Name field specify only computers' network NetBIOS
names; do not specify DNS addresses.
Figure 112. The Blocking access from computer dialog box
Note
Please specify network name of computer that should be added to the
blocking list.
5. After this perform one of the following actions:

 select Blocking access from the computer to the server for the
period of and specify the period for which the access from the
computer to the server will be blocked;
 select Block access from computer to the server until and spe-
cify the date and time when the computer will be unblocked.
Note
Specify the date and time relative to the current date and time of
the protected server.

20.3.7. Unblocking access from computers

In order to unblock access from a computer:
2. Press the Blocking list of server access button on the Blocking
access from computers tab.
3. Select a computer you wish to unblock in the list of blocked computers

in the Blocking list of server access dialog box and press the Un-
block computer button.
In order to unblock all blocked computers press the Unblock all button.
20.4. Managing quarantined objects

and configuring the quarantine
settings
20.4.1. Quarantine functions and

configuration tools
The table provided below lists the functions of the quarantine and the administra-
tion tools using which you can control these functions.
Table 18. Quarantine functions and configuration tools
Quarantine function Kaspersky Adminis- Anti-Virus con-

tration Kit Adminis- sole in MMC
tration Console
Viewing, sorting, removing ob- yes yes

jects (see Kaspersky admin-
istration Kit. Adminis-
trator's Guide)
Filtering objects no yes
Sending suspicious quaran- no yes

tined objects to the Anti-Virus
lab for analysis
Placing objects into quarantine no yes

manually
Quarantine function Kaspersky Adminis- Anti-Virus con-

tration Kit Adminis- sole in MMC
tration Console
Restoring objects from quaran- yes Yes

tine (only to the original
location)
Scanning quarantined objects yes yes

Start task Scan Qua-
rantine.
Configuring quarantine settings yes yes

See 20.4.2 on pg. 289.
Viewing quarantine statistics yes yes

See Viewing Anti-Virus
Statistics, 18.3 on pg.
255
20.4.2. Configuring quarantine settings

You can configure quarantine settings in the Application settings dialog box of
the selected protected server.
For information about isolation of the suspicious objects is provided in 11.1 on
pg. 155.
In order to configure the quarantine settings:
2. If required, modify the quarantine settings on the Quarantine tab:
 in order to specify a different folder as the quarantine location, se-
lect the required folder on the disk using the Quarantine folder
field or enter full path to it (see A.6.1 on pg. 391);
 in order to restrict the maximum size of the quarantine, check the
Maximum quarantine size box and specify the required value of
this setting in megabytes (see A.6.2 on pg. 392);
 in order to specify a threshold of the minimum free space in the qu-
arantine, check the Maximum quarantine size box, check the
Threshold of free space box and specify the required value for
this setting in megabytes (see A.6.3 on pg. 393);
 in order to specify a different folder as the destination folder for ob-

ject restoration, select the required folder on the disk using the
Restoration settings settings group or enter full path to this folder
(see A.6.4 on pg. 394).
Figure 113. The Application Settings dialog box, the Quarantine tab

20.5. Managing files in Backup and

configuring backup storage
settings
20.5.1. Functions of Backup and tools used

to control these functions
The table provided below lists the functions of Backup and the administration
tools using which you can control these functions.
Table 19. Backup storage functions
Backup storage functions Kaspersky Admin- Anti-Virus

istration Kit Ad- Console in
ministration Con- MMC
sole
viewing, sorting, removing objects yes yes
filtering files no yes
restoring objects from Backup yes (only to the yes

original location)
configuring Backup settings yes yes

See 20.5.2 on pg.
291
viewing Backup statistics yes yes

See Viewing Anti-
Virus Statistics,
18.3 on pg. 255.
20.5.2. Configuring Backup settings

You can configure backup storage settings in the Application settings dialog
box of the selected protected server.
For information about creating backup copies of objects before attempting to
disinfect or delete them see 12.1 on pg. 173.
In order to configure Backup settings:

1. Open the Application Settings dialog box (see 20.1 on pg. 274) and
switch to Backup tab.
2. Configure the required settings of Backup on Backup tab (see Figure
114):
 in order to specify a different folder as Backup folder, select the
required folder on the disk using the Backup folder field or enter full
path to it (see A.7.1 on pg. 395);
 in order to change the maximum size of Backup, check the Maxi-
mum storage size box and specify the required value of this set-
ting in megabytes (see A.7.2 on pg. 396);
 in order to change the threshold of the minimum free space in
Backup, check the Maximum storage size box, make sure that the
Threshold of free space box is checked and specify the required
value for this setting in megabytes (see A.7.3 on pg. 396);
 in order to specify a different folder as the destination folder for ob-
ject restoration, select the required folder on the disk in the Resto-
ration settings settings group or enter full path to it (see A.7.4 on
pg. 397).
Figure 114. The Application Settings dialog box, the Backup tab
20.6. Configuring notifications

 General information on notification settings through Administration Con-
sole (see 20.6.1 on pg. 293);
 Configuring administrator and user notification settings on the Notifica-
tion tab (see 20.6.2 on pg. 295).
20.6.1. General information

Using the Kaspersky Administration Kit Administration Console you can confi-
gure notifications for the administrator and the users about the events related to
the operation of the Anti-Virus and the status of the Anti-Virus protection of the
protected server:
 the administrator can receive information about events of selected
types;
 users of the local network who access the protected server can receive
information about events of types Threat detected and Computer added
to the blocking list; terminal server users can receive information about
events of the Threat detected type.
You can configure notifications about the Anti-Virus events either for a single
server using the Application Properties dialog box of the selected server or for
a group of servers using the Policy Properties dialog box.
You can configure notifications in these dialog boxes using the Event tab or on
the Notification tab.
 you can configure notifications to the administrator about events of se-
lected types on the Events tab (standard tab of the Kaspersky Adminis-
tration Kit application). For the description of notification methods you
can configure and how you can do it see document Kaspersky Adminis-
tration Kit. Administrator's Guide;
 You can configure both administrator's and users' notifications on the
Notification tab. For information about the methods of notifications you
can configure on the Notification tab, see 15.1 on pg. 214. To learn
how to configure notifications on the Notification tab see 20.6.2 on pg.
295.
Notifications about events of some types can only be configured on one of the
tabs while notifications about events of other types - on both of them.
Note
If you configure notifications about events of one type using two tables (both
Events and Notification, the administrator will receive notifications about these
events twice.
20.6.2. Configuring administrator's and

users' notifications on the
Notification tab
In order to configure notifications:
1. Open the Application Settings dialog box (see 20.1 on pg. 274) and
switch to the Notification tab.
2. Using the Notification tab (see Figure 115) configure notifications
about the types of required types and press the OK button.
Configuring notifications on the Notification tab is similar to the process of con-
figuring notifications in the Notifications dialog box of the Anti-Virus Console in
MMC. Details on the configuring notifications using the Notification tab see 15.2
on pg. 216.
Figure 115. The Application Settings dialog box, the Notification tab
20.7. Managing the trusted zone

 adding processes to the list of trusted processes list (see section 20.7.1
on pg. 296);
 disabling real-time file protection for the time of backup copying (see
 excluding threats (see section 20.7.3 on pg. 299);
 applying of a trusted zone (see section 20.7.4 on pg. 302).
For more details about Anti-Virus trusted zone see section 8.1 on pg. 99.
20.7.1. Adding processes to the list of

trusted processes
Using the Kaspersky Administration Kit Administration Console you can add ex-
ecutable files of processes on the disk of the protected server to the trusted
zone; note that you cannot add processes from the list of active processes on the
server.
For more details about Anti-Virus trusted zone refer to section 8.1 on pg. 99.
In order to add a process to the list of Anti-Virus trusted processes:
1. Open the Application Settings dialog box (see 20.1on pg. 274) and
switch to the Trusted zone tab (see Figure 116).
2. Enable the List of trusted processes function: check the Do not mon-
itor file activity of the specified processes box.
Figure 116. The Application Settings dialog box, the Trusted zone tab
3. In order to select an executable file of the process on the drive of the

protected server, perform the following:
a) Press the Add button in the Trusted zone tab;
b) Press Browse in the Add trusted process dialog box and se-
lect an executable process file on the local drive of the pro-
tected server.
The filename and the path to this file will be displayed in the
Add trusted process dialog box.
The name of the selected executable process file will then be dis-
played in the List of trusted processes in the Trusted zone tab.
20.7.2. Disabling real-time file protection

during backup copying
You can disable real-time file protection for files accessed during the backup
copying. Anti-Virus will scan files which the backup copying application opens for
reading with the FILE_FLAG_BACKUP_SEMANTICS attribute.
In order to disable real-time file protection during the backup copying:
274) and switch to the Trusted zone tab (see Figure 117).
Figure 117. The Application Settings dialog box, the Trusted zone tab
2. In order to disable real-time protection of files accessed by the backup

file copying task, check the Do not check files backup operations
box.
4. Apply trusted zone exclusions in the selected tasks and policies (see
section 20.7.4 on pg. 302).
20.7.3. Adding exclusions to the trusted

zone
You can add to the trusted zone objects to be excluded from the scan. For more
details about the trusted zone refer to section 8.1 on pg. 99.
In order to an exclusion:
274) and switch to the Trusted zone tab (see Figure 118).
2. Press the Add button under the Exclusions heading.
Figure 118. The Application Settings dialog box, Trusted zone tab
An Exclusion rule dialog box will open.

Figure 119. The Exclusion rule dialog box
3. Specify the rule using which Anti-Virus will exclude the object.
Note
In order to exclude specified threats within the specified folders or files
check the Object box and the Threats box.
In order to exclude all threats within the specified folders or files, check
the Object box and uncheck the Threats box.
In order to exclude specified threat within the entire scan area, uncheck
the Object box and check the Threats box.
 If you wish to specify the object's location, check the Object box,
press the Change button and use the Object selection dialog to
specify the object that will be excluded from scanning, then press
the ОК button:
o Predefined scope. Select in the list one of predefined scan-
ning areas.
o Disc or folder. Specify the server drive or folder on server or
in the local network.
o File. Specify the file on server or in the local network.
o File or URL of the script. Select the script on a protected
server, in local network or in the Internet.
Note
You can use masks or folders' and file's names using characters ?
and *.
Figure 120. The Select Object dialog box
 If you wish to specify the name of a threat, check the Threats box
press the Change button and add names of threats in the Threat
Exception List dialog box (for more details about this settings see
section A.3.9 on pg. 370).
4. Check boxes next to the names of functional components in whose
tasks the exclusion rule will be applied.
5. Press ОК.
 In order to edit a rule, select the rule you wish to edit on the
Trusted Zone tab, press the Modify button and edit it in the Ex-
clusion rule dialog box.
 In order to delete a rule select it on the Trusted Zone tab, press
the Delete button and confirm the operation.
6. Press ОК in the Application Settings dialog box.
7. If required, apply exceptions of the trusted zone in the selected tasks
and policies (see section 20.7.4 on pg. 302).
20.7.4. Applying a trusted zone

You can enable or disable the use of a trusted zone in existing policies and in
tasks (during task creation or in the Task Settings dialog box).
By default a trusted zone is applied in new policies and tasks created.
In order to apply a trusted zone to a policy:
pand the administration group the policy settings of which you wish to
configure, then expand nested node Policies.
2. Open shortcut menu on the policy the settings of which you wish to con-
figure and select the Properties command.
3. Perform the following actions in the Policy Properties dialog box:
 in order to apply exclusions: trusted processes, make sure that the
Do not monitor file activity of the specified processes flag is
checked and set a lock in the List of trusted processes group of
settings;
 in order to apply exclusions: backup copying operations, make sure
that the Do not check files backup operations flag is checked
and set a lock in the List of trusted processes group of settings;
 in order to apply user-defined exceptions, set a lock in the Ex-
ceptions group of settings.
In order to apply a trusted zone to an existing task:
2. Open the shortcut menu on the line with the information about the pro-
tected server in the result panel and select the Properties command.
3. Open the shortcut menu on the task you wish to configure on the Task
tab in the Computer Properties dialog box and select the Properties
command.
4. In the Task Properties dialog box on the Settings tab press the Ad-
vanced button and check the Take into Account Trusted Zone Rules
icon in the Advanced dialog box.
You can also apply a trusted zone when you create a task.
CHAPTER 21. CREATING AND
CONFIGURING TASKS

 about tasks that you can create in the Administration Console (see 21.1
on pg. 303);
 creating tasks (see 21.2 on pg. 303);
 configuring tasks (see 21.3 on pg. 313).
21.1. About creating tasks

You can create local user, group and global tasks of the following types:
 on-demand scan;
 update tasks;
 bases update rollback;
 key installation.
You create local tasks for the selected protected server on the Tasks tab of the
Application Settings dialog box, group tasks are created in the Group tasks
node of the selected group and the global tasks are created in the Global tasks
node.
Note
Using policies, you can disable the schedule of local predefined tasks on all pro-
tected servers that belong to the same administration group.
For general information about tasks in Kaspersky Administration Kit is provided

in document Kaspersky Administration Kit. Administrator's Guide.
21.2. Creating tasks

In order to create a new task in the Administration Console:
1. Start a task create wizard of the type required:
 to create a local task:

a) expand the Groups node in the Administration Console and
select group to which the protected server belongs;
b) right-click the line with the information about the protected
server in the result panel and select Properties;
c) press the Add button on the Tasks tab,
 to create a group task:
a) select a group for which you wish to create a group task in the
Administration Console tree;
b) right-click the Group task nested folder and select Create 
Task;
 in order to create a global task right-click the Global tasks node in
the Administration Console tree and select Create  Task.
This will open the greeting window of the task creation wizard.
2. Enter the task name in the Task name window of the task creation wi-
zard (maximum 100 characters, characters “ * < > ? \ / | : are illegal)
We recommend that you include the task's type into its name (for ex-
ample "On-demand scan of public folders").
Edition in the Applications windows under heading Application and
then select the type of the task created under the Task type heading.
4. Depending on the type of the task being created, perform one of the fol-
lowing actions:
 If you are creating an on-demand scan task:
a) Define the scan scope in the Configuration dialog box.
By default the scan scope include predefined scope My com-
puter (see Figure 121).
Creating and Configuring Tasks 305
Figure 121. Task creation wizard configuration window
The My Computer area contains predefined scope areas (De-

scription of these areas see 9.2.1.2 on pg. 114).
If, based on security requirements, you do not have to scan the
entire server, you can restrict the scan scope and include into it
only certain pre-defined areas (scopes) and/or individual
drives, folders or files.
o In order to include only individual areas, drives, folders or files
into the scan scope, remove the My Computer area using the
Configuration dialog box, then press the Add button and us-
ing the Adding objects to the scan scope dialog box specify
the objects that will be included into the scan scope: select a
pre-defined area in the Predefined scan scope list (see Fig-
ure 122); specify the server drive, a folder or a file on the serv-
er or in a different computer in the network and the press the
OK button.
Figure 122. The Adding objects to the scan scope dialog box
o In order to exclude nested folders or files from the scan scope,

select the folder (drive) you have added using the Configura-
tion window of the wizard, then press the Configure on-
demand scan button and uncheck the Nested Folders
(Nested Files) box in the Protection Area Configuration di-
alog box.
o Check the Apply trusted zone flag if for task you wish to ex-
clude objects, described in the Anti-Virus trusted zone, from
the scan scope (for more details about trusted zone see sec-
tion 8.1 on pg. 99; for more details about adding exclusions to
the trusted zone in Kaspersky Administration Kit see sec-
tion 20.7 on pg. 296).
b) If you plan to use the task you are creating as the full computer
scan task, check the Treat task execution as the full server
scan box. Kaspersky Administration Kit application will eva-
luate the server(s) security status based on the result of the
execution of tasks with the Full computer scan status rather
than based on the Scan My Computer system task execution
result. For more details on the assigning of the "full computer
scan task" status to an on-demand scan task see 21.4 on pg.
315
c) To assign a Low priority to a process in which a task will run,
select Run in the background. By default, processes in which
Anti-Virus task run have Average priority. Lowering process
priority makes tasks take longer, but it can also have a benefi-
cial impact on the speed of processes from other active appli-
cations.
 If you are creating an updating task, change the task set-
tings/parameters based on your requirements:
a) select an update source in the Configuration dialog box (see

A.5.1 on pg. 381);
Figure 123. The Settings dialog box
b) Press the LAN settings button. This will open the Connection
settings dialog box (see Figure 124);
Figure 124. The Additional settings dialog box, Connection settings tab
c) On the Connection settings tab, take the following steps:

o change the FTP server mode for the connection with the pro-
tected server (see A.5.2 on pg. 382);
o if necessary, change the connection timeout for the update
source (see A.5.3 on pg. 383);
o configure the proxy server access settings for connecting to
the update source (see A.5.4 on pg. 383);
d) specify the location of the protected server(s) on the Regional
Settings tab to optimize downloading of the updates (see
A.5.5 on pg. 387).
 If you are creating an Application Module update task, configure

the required settings of the application module updates in the Up-
dating settings configuration dialog box (see Figure 125):
a) select whether you want the task to download and install the
application module updates or only check if updates are avail-
able. (See A.5.6.1 on pg. 388);
Figure 125. The Update settings dialog box in the Updating application modules task
b) If you selected Download and install critical application

modules updates, a server restart may be required to apply
the installed application modules. If you wish Anti-Virus to au-
tomatically restart the server after the task is completed, check
the Allow system reboot box. In order to disable the automat-
ic restart after the task is completed, uncheck the Allow sys-
tem reboot box.
c) If you wish to receive information about release of scheduled
Anti-Virus updates check the Receive information about
available application modules updates box.
Kaspersky Lab does not upload scheduled update packages
on the update servers for automatic updating; you can down-
load them from the Kaspersky Lab's website. You can confi-
gure administrator's notifications about the Anti-Virus module
scheduled updates available event which contain the URL of
our website from which you can download scheduled updates
(for more details about configuring notifications see section

15.2 on pg. 216).
 If you are creating an Updates distribution task, specify the scope
of updates in the Updates distribution settings defining dialog
box (see A.5.7.1 on pg. 389).
Figure 126. The Updates distribution settings defining settings dialog box
 If you are creating a License key installation task, specify the key
filename with .key extension and full path to it in the Key filed in the
License key installation dialog box (see Figure 127).
Figure 127. The License key installation dialog box
5. Configure the required task schedule settings (you can configure the
schedule for all types of tasks, except tasks Key Installation and Ap-
plication Database rollback). Perform the following in the Schedule
dialog box (see Figure 128):
a) check the Start task according to schedule box to enable the
schedule;
b) specify the frequency for the task startup (see A.2.1 on pg. 353);
select one of the following values in the Execution Frequency list:
Hourly, daily, weekly, At Anti-Virus startup, After database up-
date (you can specify the frequency for the task startup Upon re-
ceiving updates by the Administration Server in the Application
bases update, Application module update and Downloading
updates):
o if you selected Hourly, specify the number of hours in the
Every <number> hours in the Task Launch Settings settings
group;
o if you selected Daily, specify the number of days in the Every
<number> days in the Task Launch Settings settings group;
o if you selected Weekly, specify the number of weeks in the
Every <number> weeks in the Task Launch Settings set-
tings group; Specify weekdays in which the task will be

launched (by default the task will be launched on Mondays).
Figure 128. An example of the Schedule dialog box with After receiving updates by
Administration server
c) specify the time of first task start in the Start time field; specify the
date of schedule start in the Start from field (see A.2.2 on pg. 355);
d) if required, specify the rest of the schedule settings: press the Ad-
ditional button and perform the following in the Additional sche-
dule settings dialog box (see Figure 129):
Figure 129. The Additional schedule settings dialog box

o specify the maximum duration of the task execution: enter the

required number of hours and minutes in the Duration field in
the Task Stop Settings group (see A.2.4 on pg. 356);
o specify the time period within 24 hours during which the task
execution will be paused: enter the from and to values for the
duration in the Pause from… until field (see A.2.5 on pg.
357);
o specify the schedule disabling date: check the End schedule
date box and using the Calendar dialog box select the date on
which the schedule will be disabled (see A.2.3 on pg. 356);
o enable skipped tasks: check the Run missed tasks box (see
A.2.6 on pg. 357);
o enable the use of the Launch time distribution setting: check
the Randomize the task start time within the interval and
specify the value for this setting in minutes (see A.2.7 on pg.
358).
d) Press the OK button.
6. If the task being created is a global task, select network (group) com-
puters for which this task will be executed.
7. Press the Finish button in the final window of the task creation wizard.
The task created will be displayed in the Tasks dialog box.
21.3. Configuring a task

After you have created a task you can configure the following settings:
 modify the task settings;
 configure / modify the task schedule;
 specify the account under which the task will be executed;
 configure notifications about the task execution.
In order to configure a task:
3. Right-click on the task you wish to configure on the Task tab in the
Computer Properties dialog box and select Properties.
4. Modify the task settings, if necessary:
 In the Real-time File Protection task on the Settings tab:
create a protection area (for information about pre-defined area
see section 6.2.1.2 on pg. 66);
apply the trusted zone: press the Protection mode button and
check the Take into Account Trusted zone Rules box in the
Advanced dialog box (to learn how to create a trusted zone
see section 20.7.3 on pg. 299);
in order to change the object protection mode, press the Pro-
tection mode button and select the required object protection
mode in the Advanced dialog box (for more details about this
setting refer to section A.3.1 on pg. 359);
 In the Script monitoring task on the Settings tab:
Define whether execution should be allowed or blocked for the
scripts, which the Anti-Virus recognizes as suspicious.
Use the trusted zone (please refer to section 20.7.3 on pg. 299
for the details on the procedure).
 In the Full Computer Scan task on the Scan scope tab:
create a scan area (for information about pre-defined area see
section 9.2.1.2 on pg. 114);
change the priority of the working process during which the
task will be executed (see section 9.3 on pg. 131);
assign status "Full Computer Scan Task" to this task (see sec-
tion 21.4 on pg. 315);
apply the trusted zone (to learn how to create a trusted zone
see section 20.7.3 on pg. 299);
 In the Updates distribution task:
Use the Updates distribution settings tab to specify the up-
dates you want and the folder where they will be saved (see
A.5.7 on pg. 389);
On the Update source tab, specify the update source (see
A.5.1 on pg. 381);
 configure the task schedule on the Schedule tab (for instruction on
how to create a task see 21.2 on pg. 303);
 specify the account under which the task will be executed on Ac-
count tab (see 5.9.1 on pg. 59);
 configure a notification about the result of the task execution on the
Notification tab. (For details– see document Kaspersky Adminis-
tration Kit. Reference Guide).
Note
While the Kaspersky Administration Kit policy is active, the settings
marked with the icon in the Application settings dialog box of
Administration Console are locked for editing.

6. Press the OK button in the Task settings dialog box to save the
changes.
21.4. Managing full scans of servers

Assigning the "full computer
scan" status to an on-demand
scan task
By default Kaspersky Administration Kit assigns the server the status of Warning
if the Scan My Computer task is performed less often than is specified by the
Anti-Virus "Full computer scan has not been performed for a long time"
event logging threshold setting. and sends the administrator a notification of
the event Full computer scan has not been performed for a long time (if confi-
gured).
You can administer a complete scan of all servers in one administration group at
the same time by taking the following steps:
1. Create a group on-demand scan task. In the Settings window of the
task creation wizard, assign it the status: "Scan My Computer task". The
task settings you specify (the scan scope and security settings) will be
applied to all servers in the group. Configure the task schedule. For
more details on how to create a task, see 21.2 on pg. 303.
Note
You can assign an on-demand scan task the status "Scan My Computer
task" when you create it or afterward in the Task properties dialog box.
2. Using the new or an existing policy, disable the system Scan My Com-
puter task on the group's servers (see section 19.4 on pg. 272).
Kaspersky Administration Kit Administration Server will then evaluate the security
status of the secured server and will notify you about it based on the results of
the last execution of tasks with the Full Computer Scan status rather than based
on the results of the Full computer scan predefined tasks.
You can assign the "Full Computer Scan" status to either group or global on-
demand scan tasks.
Using the Anti-Virus Console in MMC you can view to check whether a group or
a global on-demand task is a full computer scan task.
Note
The Treat task execution as a full server scan task check box is displayed
only in the properties of the group and global tasks (it is not accessible for edit-
ing).
PART 4. ANTI-VIRUS
COUNTERS
 Description of performance counters for System Monitor (see Chapter
22 on pg. 317);
 Description of Anti-Virus SNMP counters and traps (see Chapter 23 on
pg. 326).
CHAPTER 22. PERFORMANCE
COUNTERS FOR SYSTEM
MONITOR
This chapter contains general information on Anti-Virus performance counters

(see 22.1 on pg. 318) and a description of each of the counters:
 Total number of denied requests. 22.2 on pg. 319);
 Total number of skipped requests (see 22.3 on pg. 320);
 Number of requests not processed because of lack of system resources
(see 22.4 on pg. 321);
 Number of requests accepted for processing (see 22.5 on pg. 321);
 Average number of file interception dispatcher streams (see 22.6 on
pg. 322);
 Maximum number of file interception dispatcher streams (see. 22.7 on
pg. 323);
 Number of infected objects in processing queue (see 22.8 on pg. 324);
 Number of objects processed per second (see 22.9 on pg. 325).
22.1. About Anti-Virus performance

counters
If the Performance Counters component is one of the Anti-Virus components
installed, Anti-Virus registers its own performance counters for Microsoft Win-
dows System Monitor during installation.
Using the Anti-Virus counters, you can monitor Anti-Virus Performance while
real-time protection tasks are running. You can uncover tight places when it is
running with other applications and resource shortages. You can diagnose unde-
sirable Anti-Virus settings and crashes in its operation.
You can view Anti-Virus performance counters by opening the Performance
console in the Administration Control Panel time.
Anti-Virus SNMP counters and traps 319
The following points list definitions of counters, recommended intervals for taking
readings, threshold values, and recommendations for Anti-Virus settings if the
counter values exceed them.
22.2. Total number of denied

requests
Name Number of requests denied
Definition Total number of requests from the file interception driver to

process objects that were not accepted by Anti-Virus
processes; counted from the time Anti-Virus was last started
Anti-Virus skips objects requests for processing which are
denied by the Anti-Virus processes.
Purpose This counter can help you detect:

Lower quality of real-time protection from bogging down the
working processes of Anti-Virus;
Interruption of real-time protection because of file intercep-
tion dispatcher failures.
Normal / threshold 0 / 1
value
Recommended 1 hour
reading interval
Recommendations The number of requests for processed denied corresponds

for configuration if to the number of skipped objects.
value exceeds the The following situations are possible depending on the be-
threshold havior of the counter:
 The counter shows several requests denied over an ex-
tended length of time: All Anti-Virus processes are fully
loaded so Anti-Virus could not scan the objects.
To avoid skipping objects, increase the number of Anti-
Virus processes for real-time protection tasks. You can
use the Anti-Virus settings Maximum number of work-
ing processes (for more details see A.1.1 on pg. 340)
and Number of working processes for real-time pro-
tection tasks (for more details, see A.1.2 on pg. 341);
 The number of request denied significantly exceeds the
critical threshold and is growing quickly: the file intercep-

tion dispatcher has crashed. Anti-Virus is not scanning
objects on access.
Restart Anti-Virus.
22.3. Total number of skipped

requests
Name Number of requests skipped
Definition Total number of requests from the file interception driver to

process objects that were accepted by driver processes but
did not generate events on completion of processing;
counted from the time Anti-Virus was last started
If a request for processing of such object accepted by one
of the work processes did not send an event for completion
of the processing, the driver will transfer such request to
another process and the value of counter Total Number of
Skipped Requests will increment by 1. If the driver has
gone through all work processes and no process has ac-
cepted the request for processing (was busy) or has not
sent events about completion of the processing, Anti-Virus
will skip such object and the value of counter Total Num-
ber of Skipped Requests will increment by 1.
Purpose This counter enables you to detect drops in performance

because of file interception dispatcher failures.
Normal / threshold 0/1

value
Recommended 1 hour
reading interval
Recommendations If the counter value is anything other than zero, this means
for configuration if that one or several file interception dispatcher streams have
value exceeds the frozen and are down. The counter value corresponds to the
threshold number of streams currently down.
If the scan speed is not satisfactory, restart Anti-Virus to
restore the off-line streams.
22.4. Number of requests not

processed because of lack of
system resources
Name Number of requests not processed due to lack of re-
sources
Definition Total number of requests from the file interception driver

which were not processed because of a lack of system
resources (for example, RAM); counted from the time Anti-
Virus was last started
Anti-Virus skips objects requests to process which are not
processed by the file interception driver.
Purpose This counter can be used to detect and eliminate poten-

tially lower quality in real-time protection that occurs be-
cause of low system resources.
Normal / threshold 0/1

value
Recommended read- 1 hour

ing interval
Recommendations If the counter value is anything other than zero, the Anti-
for configuration if Virus working processes need more RAM to process re-
value exceeds the quests.
threshold Active processes of other applications may be using all
available RAM.
22.5. Number of requests sent to be

processed
Name Number of requests sent to be processed
Definition Number of objects currently awaiting being processed by

the Anti-Virus processes
Purpose This counter can be used to track the load on Anti-Virus

working processes and the overall level of file activity on
the server.
Normal / threshold The counter value may vary depending on the level of file
value activity on the server
Recommended 1 min.
reading interval
Recommendations No
for configuration if
value exceeds the
threshold
22.6. Average number of file

interception dispatcher
streams
Name Average number of file interception dispatcher streams
Definition The number of file interception dispatcher streams in one

process and the average for all processes currently involved
in real-time protection tasks
Purpose Lower quality of real-time protection from the full load on

Anti-Virus processes
Normal / threshold Varies / 40

value
Recommended 1 min.
reading interval
Recommendations Up to 60 file interception dispatcher streams can be created

for configuration if in each working process. If the counter value approaches
value exceeds the 60, there is a risk that none of the working process will be
threshold able to process the next request in queue from the file inter-
ception driver and Anti-Virus will skip the object.
Increase the number of Anti-Virus processes for real-time

protection tasks. You can use the Anti-Virus settings Maxi-
mum number of working processes (for more details see
A.1.1 on pg. 340) and Number of working processes for
real-time protection tasks (for more details, see A.1.2 on
pg. 341).
22.7. Maximum number of file

interception dispatcher
streams
Name Maximum number of file interception dispatcher streams
Definition The number of file interception dispatcher streams in one

process and the maximum for all processes currently in-
volved in real-time protection tasks
Purpose This counter enables you to detect and eliminate drops in

performance because of uneven distribution of loads in
running processes.
Normal / threshold Varies / 40

value
Recommended 1 minute
reading interval
Recommendations If the value of this counter significantly and continuously

for configuration if exceeds the following of the Average number of file in-
value exceeds the terception dispatcher streams counter, Anti-Virus is dis-
threshold tributing the load to running processes unevenly.
Restart Anti-Virus.
22.8. Number of infected objects in

processing queue
Name Number of items in the infected object queue
Definition Number of infected objects currently waiting to be

processed (disinfected or deleted)
Purpose This counter can help you detect:

 Interruption of real-time protection because of possible
file interception dispatcher failures;
 Overload of processes because of uneven distribution
of processor time between different working processes
and Anti-Virus;
 Virus outbreaks.
Normal / threshold This value may be something other than zero while Anti-
value Virus is processing infected or suspicious objects but will
return to zero after processing is finished / The value re-
minds non-zero for an extended period of time.
Recommended read- 1 minute

ing interval
Recommendations If the value of the counter does not return to zero for an
for configuration if extended period of time:
value exceeds the  Anti-Virus is not processing objects (the file interception
threshold dispatcher may have crashed);
Restart Anti-Virus.
 Not enough processor time to process the objects;
Make sure Anti-Virus receives additional processor
time (by lowering other applications' load on the server,
for example).
 There has been a virus outbreak.
You can enable the Virus Outbreak Prevention function
(see 7.5 on pg. 92).
A large under of infected or suspicious objects in a
Real-time file protection task also is a sign of a virus
outbreak. You can view information on the number of
objects detected in the task statistics (see 6.3 on

pg. 83) or in the detailed task performance report (see
13.2.4 on pg. 191).
22.9. Number of objects processed

per second
Name Number of objects processed per second
Definition Number of objects processed divided by the amount of

time that it took to process those objects; Calculated over
equal lengths of time
Purpose This counter reflects the speed of object processing; it can

be used to detect and eliminate low points in server per-
formance that occur because of insufficient processor time
being allotted to Anti-Virus processes or errors in Anti-
Virus operation.
Normal / threshold Varies / No

value
Recommended read- 1 minute

ing interval
Recommendations The values of this counter depend on the values set in the
for configuration if Anti-Virus settings and the load on the server from other
value exceeds the applications' processes.
threshold Observe the average level of counter numbers over an
extended period of time. If the average level of the counter
numbers drops:
 Anti-Virus processes do not have enough processor
time to process the objects;
Make sure Anti-Virus receives additional processor
time (by lowering other applications' load on the server,
for example).
 Anti-Virus has experienced an error (several streams
are down).
Restart Anti-Virus.
CHAPTER 23. ANTI-VIRUS SNMP

COUNTERS AND TRAPS

 About Anti-Virus SNMP counters and traps (see 23.1 on pg. 326);
 Description of SNMP counters (see 23.2 on pg. 326);
 Description of SNMP traps (see. 23.2.8 on pg. 330).
23.1. About Anti-Virus SNMP

counters and traps
If you chose to install the SNMP Counters and Traps Anti-Virus component, you
can view Anti-Virus counters and traps on Simple Network Management Protocol
(SNMP) and HP Open View.
To view Anti-Virus counters and traps from the administrator's workstation, start
SNMP Service on the protected server and start SNMP and SNMP Trap Servic-
es on the administrator's workstation.
23.2. Anti-Virus SNMP counters

There are three types of SNMP counters in Anti-Virus:
 Performance counters (see 23.2.1on pg. 327);
 General counters (see 23.2.2 on pg. 327);
 Update counter (see 23.2.3 on pg. 328);
 Real-time protection counters (see 23.2.4 on pg. 328);
 Quarantine counters (see 23.2.5 on pg. 329);
 Backup counters (see 23.2.6 on pg. 330);
 Server access blocking counters (see 23.2.7 on pg. 330);
 Counters for scanned scripts (see 23.2.8 on pg. 330).
23.2.1. Performance counters
Counter Definition
currentRequestsAmount Number of requests accepted for processing

(see description in 22.5 on pg. 321)
currentInfectedQueueLength Number of infected objects in processing

queue (see description in 22.8 on pg. 324)
currentObjectProcessingRate Number of objects processed per second (see

description in 22.9 on pg. 325)
currentWorkProcessesAmount The current number of working processes

used by Anti-Virus
23.2.2. General counters
Counter Definition
currentApplicationUptime The amount of time that Anti-Virus has been

running since it was last start, in hundreds of
seconds
currentFileMonitorTaskStatus Real-time Protection task status: Оn – run-

ning; Оff – stopped or paused
currentScriptCheckerTaskSta- Script monitoring task status: Оn – running;

tus Оff – stopped or paused
lastFullScanAge Aging of the last complete scan of the server

(time elapsed in seconds since the last Scan
My Computer task completed)
licenseExpirationDate License key expiration date (if the active and

the backup keys are installed, this date indi-
cates when the total aggregate period of the
active and the backup keys will expire).
23.2.3. Update counter
Counter Definition
avBasesAge Aging of database (time elapsed in hun-

dredths of seconds since the creation date of
the latest updated bases installed).
23.2.4. Real-time protection counters
Counter Definition
totalObjectsProcessed Total number of objects scanned since the

time of that the last Real-time file protection
task was run
totalInfectedObjectsFound Total number of infected objects detected

since the time of that the last Real-time file
protection task was run
totalSuspiciousObjectsFound Total number of suspicious objects detected

since the time of that the last Real-time file
protection task was run
totalVirusesFound Total number of threats detected since the

time of that the last Real-time file protection
task was run
totalObjectsQuarantined Total number of infected or suspicious objects

which were quarantined by Anti-Virus; calcu-
lated starting from the moment the Real-time
file protection was last started
totalObjectsNotQuarantined Total number of infected or suspicious objects

which were attempted to be quarantined by
Anti-Virus, but it was unable to do so; calcu-
totalObjectsDisinfected Total number of infected objects which were

disinfected by Anti-Virus; calculated starting
from the moment the Real-time file protec-
tion was last started
Counter Definition
totalObjectsNotDisinfected Total number of infected objects which were

attempted to be disinfected by Anti-Virus, but
it was unable to do so; calculated starting from
the moment the Real-time file protection
was last started
totalObjectsDeleted Total number of infected or suspicious objects

which were deleted by Anti-Virus; calculated
starting from the moment the Real-time file
protection was last started
totalObjectsNotDeleted Total number of infected or suspicious objects

which were attempted to be deleted by Anti-
Virus, but it was unable to do so; calculated
starting from the moment the Real-time file
protection was last started
totalObjectsBackedUp Total number of infected objects which were

placed into backup storage by Anti-Virus; cal-
culated starting from the moment the Real-
time file protection was last started
totalObjectsNotBackedUp Total number of infected objects which were

attempted to be placed into backup storage by
Anti-Virus, but it was unable to do so; calcu-
23.2.5. Quarantine counters
Counter Definition
totalObjects Number of objects currently in Quarantine
totalSuspiciousObjects Number of suspicious objects currently in Qu-

arantine
currentStorageSize Total size of the data in Quarantine (MB)

23.2.6. Backup counters
Counter Definition
currentBackupStorageSize Total size of the data in Backup (MB)
23.2.7. Server access blocking counters
Counter Definition
currentHostsBlocked Number of computers in the blocking list
totalNotBlocked Number of computers not denied access be-

cause they are excluded from blocking
(trusted computers) since automatic blocking
was enabled
23.2.8. Counters for scanned scripts
Counter Definition
totalScriptsProcessed Total number of scanned scripts
totalInfectedIDangerous- Total number of found infected scripts

ScriptsFound
totalSuspiciousScriptsFound Total number of found suspicious scripts
totalScriptsBlocked Total number of scripts, access to which has

been blocked.
23.3. SNMP traps

The following table describes Anti-Virus SNMP counters and traps; trap settings
are described in Table 20.
Table 20. Anti-Virus SNMP traps
Trap Description Settings
eventThreatDetected Threat detected. For more de- eventTimeStamp

tails about how Anti-Virus de- eventSeverity
tects infected and suspicious
objects, see 1.1.3 on pg. 17. сomputerName
userName
objectName
threatName
detectType
detectCertainty
eventBackupStorageSi- Maximum backup size ex- eventTimeStamp

zeExceeds ceeded. The total size of data eventSeverity
in Backup has exceeded the
value specified by the Maxi- eventSource
mum Backup size. Anti-Virus
continues to back up infected
objects.
eventThresholdBackupS- Backup free space threshold eventTimeStamp

torageSizeExceeds reached. The amount of free eventSeverity
size in Backup assigned by the
Backup threshold of free eventSource
space is less than the speci-
fied value. Anti-Virus continues
to back up infected objects.
eventQuarantineStorage- Maximum Quarantine size ex- eventDateAnd-

SizeExceeds ceeded. The total size of data Time
in Quarantine has exceeded eventSeverity
the value specified by the Max-
imum Quarantine size. Anti- eventSource
Virus continues to quarantine
suspicious objects.
eventThresholdQuaranti- Quarantine free space thre- eventDateAnd-

neStorageSizeExceeds shold reached. The amount of Time
free size in Quarantine as- eventSeverity
signed by the Quarantine
threshold of free space is eventSource
less than the specified value.
Anti-Virus continues to quaran-
tine suspicious objects.
eventObjectNotQuaran- Quarantining error eventSeverity

tined eventDateAnd-
Time
eventSource
userName
computerName
objectName
storageObject-
NotAddedEven-
tReason
eventObjectNotBackuped Error of saving an object copy eventSeverity

in the backup storage eventDateAnd-
Time
eventSource
objectName
userName
computerName
storageObject-
NotAddedEven-
tReason
eventQuarantineInterna- Quarantine has experienced eventSeverity

lError an error. eventDateAnd-
Time
eventSource
eventReason
eventBackupInternalError Backup has experienced an eventSeverity

error. eventDateAnd-
Time
eventSource
eventReason
eventAVBasesOutdated Anti-Virus database is out of eventSeverity

date. Calculated as the number eventDateAnd-
of days passed since the last Time
bases update task (local, group
or global). eventSource
days
eventAVBasesTotallyOut- Anti-Virus database is obsolete eventSeverity

dated Calculated as the number of eventDateAnd-
days passed since the last Time
bases update task (local, group
or global). eventSource
days
eventApplicationModule- An error occurred while check- eventSeverity

sIntegrityFailed ing application module integrity eventDateAnd-
Time
eventSource
eventApplicationStarted Anti-Virus started. eventSeverity

eventDateAnd-
Time
eventSource
eventApplicationShutdown Anti-Virus is stopped. eventSeverity

eventDateAnd-
Time
eventSource
eventFullScanWasntPer- A complete scan has not been eventSeverity

formForALongTime performed for some time. Cal- eventDateAnd-
culated as the number of days Time
since the last completion of a
Scan My Computer task eventSource
days
eventLicenseHasExpired License has expired. eventSeverity

eventDateAnd-
Time
eventSource
eventLicenseExpiresSoon License expires soon. Calcu- eventSeverity

lated as the number of days eventDateAnd-
until the expiration date for the Time
license key
eventSource
days
eventTaskInternalError Task completion error eventSeverity

eventDateAnd-
Time
eventSource
errorCode
knowledgeBase-
Id
taskName
eventUpdateError Error performance an update eventSeverity

task eventDateAnd-
Time
taskName
updaterErrorE-
ventReason
Table 21. Settings for traps and possible values
Parameter Description and possible values
eventDateAndTime Event occurrence time

eventSeverity Severity level. Possible values include:

 critical (1) – critical,
 warning (2) – warning,
 info (3) – informational.
userName Username (for example, name of the user that attempted

to gain access to an infected file)
computerName Computer name (for example, name of the computer

from which a user attempted to gain access to an in-
fected file)
eventSource Event source: functional component where the event was

generated. Possible values include:
 unknown (0) – functional component not known;
 quarantine (1) – Quarantine;
 backup (2) – Backup;
 reporting (3) – Reports;
 updates (4)– Update;
 realTimeProtection (5) – Real-time protection;
 onDemandScanning (6) – On-demand scan;
 product (7) – event related to operation of Anti-Virus
as a whole rather than operation of individual compo-
nents;
 systemAudit (8) – system audit log;
 hostBlocker (9) – Block access from computers to the
server.
eventReason What triggered the event. Possible values include:

 reasonUnknown (0) – reason not known,
 reasonInvalidSettings (1) – only for a Backup and Qu-
arantine events, displayed if Quarantine or Backup is
unavailable (insufficient access permissions or the
folder is specified incorrectly in the Quarantine set-
tings -- for example, a network path is specified). If this
is the case, Anti-Virus will use the default Backup or
Quarantine folder.
objectName Object name (for example, name of the file where the
virus was detected).
threatName Threat name
detectType Threat type. Possible values include:

 undefined (0) – undefined;
 virware – classic viruses and network worms;
 trojware – Trojans;
 malware – other malicious programs;
 adware – advertising programs;
 pornware – programs with pornographic content;
 riskware – potentially dangerous programs.
For more details on threat types, see 1.1.2 on pg. 14.
detectCertainty Certainty level for threat detection. Possible values in-

clude:
 Warning - object is classified as suspicious by the
heuristic analyzer;
 Suspicion - object is classified as suspicious; a partial
match was detected between a section of the object's
code and the code of a known threat;
 Sure - object classified as infected; an exact match
was detected between a section of the object's code
and the code of a known threat.
days Number of days (for example, the number of days until

the license expiration date)
errorCode Error code
knowledgeBaseId Address of a knowledge base article (for example, ad-

dress of an article that explains a particular error)
taskName Task name

updaterErrorEven- The reason why update was not applied. Possible values
tReason include:
 reasonUnknown(0) – reason is unknown;
 reasonAccessDenied – access denied;
 reasonUrlsExhausted – the list of update sources is
exhausted;
 reasonInvalidConfig – invalid configuration file;
 reasonInvalidSignature – invalid signature;
 reasonCantCreateFolder – folder cannot be created;
 reasonFileOperError – file error;
 reasonDataCorrupted – object is corrupted;
 reasonConnectionReset – connection reset;
 reasonTimeOut – connection timeout exceeded;
 reasonProxyAuthError – proxy authentication error;
 reasonServerAuthError – server authentication error;
 reasonHostNotFound – computer not found;
 reasonServerBusy – server unavailable;
 reasonConnectionError – connection error;
 reasonModuleNotFound – object not found;
 reasonBlstCheckFailed(16) – error checking the list of
recalled licenses. It is possible that databases updates
were being published at the moment of update; please
repeat the update in a few minutes.
See the list of these reasons and possible actions of ad-
ministrator on the Technical Support Service website in
section If a program generated an error
(http://support.kaspersky.com/error).
storageObjectNo- The reason why the object was not backed up or quaran-
tAddedEventReason tined. Possible values include:
 reasonUnknown(0) – reason is unknown;
 reasonStorageInternalError – database error; please
restore Anti-Virus;
 reasonStorageReadOnly – database is read-only;
please restore Anti-Virus;
 reasonStorageIOError – input/output error: a) Anti-
Virus is corrupted, please restore Anti-Virus; b) disk
with Anti-Virus files is corrupted;
 reasonStorageCorrupted – storage is corrupted;
please restore Anti-Virus;
 reasonStorageFull – database is full; free up disk
space;
 reasonStorageOpenError – database file could not be
opened; please restore Anti-Virus;
 reasonStorageOSFeatureError – some operating sys-
tem features do not correspond to Anti-Virus require-
ments;
 reasonObjectNotFound – object being placed to Qua-
rantine does not exist on the disk;
 reasonObjectAccessError – not enough rights to use
Backup API: account under which the operation is per-
formed does not have Backup Operator rights.
 reasonDiskOutOfSpace – not enough space on the
disk.
APPENDIX A. DESCRIPTION OF
GENERAL ANTI-VIRUS
SETTINGS AND SETTINGS
OF ITS FUNCTIONS, AND
TASKS
A.1. Anti-Virus settings
You can configure the following Anti-Virus settings:
 The maximum number of processes (see A.1.1 on pg. 340);
 The maximum number of processes used in real-time protection (see
A.1.2 on pg. 341);
 Number of processes for background on-demand scan tasks (see A.1.3
on pg. 342);
 Task recovery (see A.1.4 on pg. 343);
 How long information displayed in the Reports node is stored (see
A.1.5 on pg. 344);
 How long information displayed in the System Audit Log node is
stored (see A.1.6 on pg. 344);
 Actions when switching to an uninterruptible power supply (see A.1.7 on
pg. 345);
 Event generation threshold (see A.1.8 on pg. 346);
 Creation of the tracking log (see A.1.9 on pg. 346);
 Creation of the Anti-Virus process memory dump files (see A.1.10 on
pg. 351).
A.1.1. Maximum number of processes
Setting The maximum number of processes
Description This setting applies to the Anti-Virus Scalability settings. It sets

the maximum number of processes that Anti-Virus can run simul-
taneously.
Anti-Virus processes are used to execute real-time protection, on-
demand scan and updating tasks.
Increasing the number of processes running in parallel increases
the speed of file processing and stability of Anti-Virus operation.
However if the value of this setting is too high it may decrease the
general server performance and increase RAM usage.
Note
Please note that in the Administration Console of the Kaspersky
Administration Kit application you can modify the Maximum
number of processes setting only for Anti-Virus installed on a
separate server (in the Application Settings dialog box), howev-
er you cannot modify this setting in the policy settings for a group
of servers.
Allowable 1– 8
values
Default value Anti-Virus controls scalability automatically depending on the

number of processors on the server:
Number of processors Maximum number of active

processes
=1 1
1< number of processors < 4 2
4 4
To learn how to configure this setting:

 in the Anti-Virus console in ММС, see section 3.2 on pg. 40;
 in the Kaspersky Administration Kit application, see section 20.2 on pg.
276.
Appendix A 341
A.1.2. Number of processed used in real-

time protection
Setting Number of processed used in real-time protection
Description This setting applies to the Anti-Virus Scalability settings.

Using this setting you can specify the fixed number of processes
in which the Anti-Virus will execute real-time protection tasks.
A higher value of this setting will increase the scan speed in the
real-time protection tasks. However, the more processes are used
by the Anti-Virus, the greater its influence will be on the general
performance of the protected server and consumption of RAM
resources.
Note
Please note that in the Administration Console of the Kaspersky
Administration Kit application you can modify the Number of
processes setting only for Anti-Virus installed on a separate
server (in the Application Settings dialog box), however you
cannot modify this setting in the policy settings for a group of
servers.
Allowable Allowable values: 1–N where N – value, specified by setting Max-

values imum number of processes.
If you specify the Number of Processes for Real-Time Protec-
tion equal to the Maximum Number of Active Processes, you
will decrease the effect Anti-Virus will have on the rate of the file
exchange between the computers and the server which will in-
crease its speed during the real-time protection. However updat-
ing tasks and on-demand scan tasks with base priority Normal
will be executed in the Anti-Virus work processes which area al-
ready running. On-demand scan tasks will be executed slower. If
the execution of a task causes an abnormal termination of a
process, its restart will require longer time.
On-demand scan tasks with base priority Low will always be ex-
ecuted in a separate process or processes (see section A.1.3 on
pg. 342).
Default value Anti-Virus controls scalability automatically depending on the

number of processors on the protected server.
Number of processors Number of real-time protec-

tion processes
=1 1
>1 2

276.
A.1.3. Number of process for background

on-demand scan tasks
Parameter Number of processes for background on-demand scan tasks
Description This setting applies to the Anti-Virus Scalability settings.

Using this setting you can specify the maximum number of
processes in which the Anti-Virus will execute on-demand scan
tasks in the background mode.
The number of processes you set by this setting is not included into
the total number of Anti-Virus working processes set by the Maxi-
mum number of active processes setting.
For example, if you set:
 maximum number of active processes– 3;
 number of processes for real-time protection tasks – 3;
 number of processes for background on-demand scan tasks – 1;
then start real-time protection tasks and one on-demand scan task
in the background mode; the total number of working processes
kavfswp.exe of the Anti-Virus will become 4.
Several on-demand scan tasks can be running in one working
process with low priority.
You can increase the number of working processes, for example, if
you run several tasks in the background mode in order to allocate a
separate process for each task. Allocating separate processes for
tasks increases reliability of the tasks’ execution and their speed.
Appendix A 343
Possible 1-4
values
Default val- 1
ue

276.
A.1.4. Task recovery
Setting Task recovery (Attempt to recover tasks no more than …

times )
Description This setting applies to the Anti-Virus Reliability settings. It

enables recovery of Anti-Virus tasks in case of their emergency
termination and defines the number of attempts used to recover
the on-demand scanning tasks.
When an emergency termination of a task occurs, the kavfs.exe
process of the Anti-Virus attempts to restart the process instance
that was running that task at the moment of its termination.
If task recovery is disabled, the Anti-Virus does not restore the
real-time protection and on-demand scanning tasks.
If task recovery is enabled, the Anti-Virus attempts to resume the
real-time protection tasks until they are started successfully; and it
keeps restarting the on-demand scanning tasks using the number
of attempts specified in the option.
Allowable Enabled / Disabled

values The number of on-demand scanning tasks recovery attempts: 1-
10
Default value Task recovery is enabled. The number of on-demand scanning

tasks recovery attempts – 2.


276.
A.1.5. Reports storage period
Setting Reports storage period (Do not store reports and events for
longer than … days)
Description This setting defines how many days summary and detailed task
performance reports displayed in the Anti-Virus console in MMC
in the Reports node will be stored. You can disable this setting in
order to store reports about task execution indefinitely. In this
case the report file may become very large.
Allowable 1–365
values
Default value In detailed reports about tasks execution the Anti-Virus deletes
event records occurred over 30 days ago. Reports about com-
pleted tasks will be deleted 30 days after completion of the task.

276.
A.1.6. Storage period for events in the

system audit log
Setting System audit log storage period (Do not store events for longer
than … days)
Description You can restrict the storage period for events displayed in the
Anti-Virus Console in MMC in the System Audit Log node.
Allowable 1–365
values
Default value The system audit log will not be deleted.

Appendix A 345

276.
A.1.7. Actions if uninterruptible power

supply is used
Parameter Use of uninterruptible power supply
Description This setting determines the actions that Anti-Virus will take if the
server switches to an uninterruptible power supply.
Possible val-  run / do not run on-demand scan tasks that run on a schedule;
ues  Perform / stop all active on-demand scan tasks
Default value By default, if uninterruptible power supply is used to power the

server, Anti-Virus:
 does not run on-demand scan tasks that run on a schedule;
 automatically stops all active on-demand scan tasks.

276.
A.1.8. Event generation thresholds
Setting Event generation thresholds
Description You can specify the thresholds for generation of the following
three events:
 Bases are obsolete and Bases are outdated . This event oc-
curs if the Anti-Virus bases have not been updated during the
period (in days) specified by the setting since the release date
of the latest installed bases updates. You can configure an
administrator's notification for these events.
 Full computer scan has not been performed for a long time .
This event occurs if during the specified number of days no
tasks flagged with the Treat task execution as a full server
scan task box have been executed. For more details about
the "full computer scan task" status see 21.4 on pg. 315.
Allowable Number of days from 1 to 365

values
Default value Bases obsolete – 7 days;

Bases outdated – 14 days;
Full computer scan has not been performed for a long time - 30
days.

276.
A.1.9. Tracking log settings

 Generating a Tracking log (see A.1.9.1 on pg. 347);
 The tracking file folder (see A.1.9.2 on pg. 348);
 The Tracking log level of detail (see A.1.9.3 on pg. 348);
 Size of a single tracking file (see A.1.9.4 on pg. 349);
 Tracing selected Anti-Virus subsystems (see A.1.9.5 on pg. 350).
Appendix A 347
A.1.9.1. Creating traces
Parameter Creating tracking log (Write debug information into the file)
Description The Generate Tracking log setting belongs to the Malfunction

diagnosis settings group.
If a problem arises in Anti-Virus operation (for example, Anti-Virus
or an individual task crashes or does not start) and want to debug
it, you can create a Tracking log and send the log files to Kas-
persky Lab technical support to be analyzed. For more details on
how to contact the Technical Support Service, see section 1.2.3
on pg. 21. Tracking logs are saved to a separate file for each
Anti-Virus process.
Values and Tracking log is generated / not generated.

some rec- To enable Tracking log generation, you must specify the folder
ommenda- when the log files will be saved.
tions for us-
If you are managing Anti-Virus on the protected server through a
ing them
console installed on a different computer, you must specify the
Tracking log settings in Microsoft Windows registry of this com-
puter and then close and reopen the Anti-Virus console in MMC
to enable traces for the gui subsystem.
 If the computer is running a 32-bit version of Microsoft Win-
dows:
HKEY_LOCAL_MACHINE\Software\KasperskyLab\KAVFSEE
\6.0\Trace\Configuration=sub-
system=gui;level=info;sink=folder(<folder for
Tracking log files and path to
it>);roll=50000;layout=basic;logging=on
dows:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Kaspersk
yLab\KAVFSEE\6.0\Trace\Configuration=sub-
system=gui;level=info;sink=folder(<folder for
Tracking log files and path to
it>);roll=50000;layout=basic;logging=on
Specifying path to the folder you can use system environmental
variables; you can not use user’s environmental variables.
Default value Tracking log is not generated.


276.
A.1.9.2. The tracking file folder
Parameter The tracking file folder (Debug file folder)
Description To enable Tracking log generation, you must specify the folder
when the log files will be saved.
Values and Specify the folder on a local drive of the protected server.
some rec- If you specify a path to a nonexistent folder, the Tracking log will
ommenda- not be created.
tions for us-
Do not use folders on virtual drives created using the SUBST
ing them
command or network server drives as the Tracking log folder.
If you are managing Anti-Virus on the protected server through an
MMC console installed on a remote administrator's workstation,
you must be included in the local administrators group on the
protected server to be able to view the folders on it.
Specifying path to the tacking file folder you can use system envi-
riables.
Default value Not specified

276.
A.1.9.3. Tracking log level of detail
Parameter Tracking log level of detail

Appendix A 349
Description You can select the Tracking log level of detail (Debug informa-
tion, Information events, Important events, Errors or Critical
events).
Values and The most detailed level is Debug information which writes all
some rec- events to the log, and the least detailed is Critical events, which
ommenda- only writes critical events to the log;
tions for us- Please note that the tracking file can take up a large amount of
ing them disk space.
Default value If you do not change the logging settings when you enable Track-
ing log generation, Anti-Virus will trace Anti-Virus subsystems
with the Debug information level of detail.

276.
A.1.9.4. Size of a single tracking file
Parameter Size of a single tracking file
Description You can change the maximum size of a single Tracking log.
Values and 1–999 MB

some rec- As soon as a log file reaches the maximum size, Anti-Virus be-
ommenda- gins writing information to a new file; The previous log file is
tions for us- saved.
ing them
ing log generation, the maximum size of a single tracking file will
be 50 MB.

276.
A.1.9.5. Tracking individual Anti-Virus

subsystems
Parameter Tracking only some Anti-Virus subsystems.
Description You can keep logs of only selected Anti-Virus subsystems in-
stead of all of them
Values and In the Anti-Virus settings dialog box, in the Malfunction diagno-
some rec- sis settings group, click the Additional settings button in the
ommenda- Additional settings window and entire the codes for the subsys-
tions for us- tems that you want to trace in the Subsystems to be traced
ing them field. Separate subsystem codes with a comma. When entering a
subsystem code, use the register. The codes and Anti-Virus sub-
system names are listed in the table below Table 21.
Anti-Virus applies trace settings from the gui subsystem (the ap-
pearance of Anti-Virus) after restarting the Anti-Virus console;
Trace settings for the AK_conn subsystem (subsystem for inte-
grating Kaspersky Administration NAgent) – after restarting Kas-
persky Administration Kit NAgent; Trace settings for other Anti-
Virus subsystems are applied immediately after the settings are
saved.
ing log generation, Anti-Virus will trace all Anti-Virus subsystems.

276.
The table below contains the list of codes of the Anti-Virus subsystems informa-
tion about which can be added to the tracking log.
Table 22. The list of subsystems codes for adding to the tracking log
Subsystem Subsystem description

code
* All components (by default)
gui Anti-Virus Snap-In in MMC

Appendix A 351
Subsystem Subsystem description

code
AK_conn Subsystem of integration with Kaspersky Administration Kit Net-

work Agent
bl Control processes, implements the Anti-Virus control tasks
wp Working process, executes the Anti-Virus protection tasks
blgate Anti-Virus remote control process
ods On-demand scan subsystem
oas Real-time file protection subsystem
qb Quarantine and backup storage subsystem
scandll Auxiliary module of Anti-Virus scan
core Basic Anti-Virus functionality subsystem
avscan Anti-Virus processing subsystem
avserv Anti-Virus kernel management subsystem
prague Basic functionality subsystem
scsrv Subsystem of dispatching queries from the script interceptor
script Script interceptor
updater Bases and software modules updating subsystem
A.1.10. Creating Anti-Virus processes

memory dump files
Setting Creating Anti-Virus processes memory dump files (Create dump

files)
Description Setting Creating Anti-Virus processes memory dump files is in-

cluded into the Diagnostics failure settings group.
If a problem occurs during Anti-Virus operation (for example, Anti-
Virus terminates abnormally) and you wish to diagnose it, you
can enable the option of creating Anti-Virus processes memory
dump files send these files for analysis to Kaspersky Lab's Tech-
nical Support Service. Detailed information on how you can con-
tact the Technical Support Service see section 1.2.3 on pg. 21.
Values and Dump files will be created / will not be created.

some rec- In order to enable the option of creating dump files, specify folder
ommenda- into which dump files will be saved.
tions on their
Note
usage
If you specify a path to a non-existent folder, no dump files will be
created.
If you are managing Anti-Virus on the protected server through a
console installed on a different computer, you must specify the
dump generation settings in Microsoft Windows registry of this
computer and the close and reopen the Anti-Virus console to
enable dump file generation for the Anti-Virus console.
dows:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KAVFSEE
\6.0\CrashDump\Enable=0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KAVFSEE
\6.0\CrashDump\Folder=С:\Temp
dows:
yLab\KAVFSEE\6.0\CrashDump\Enable=0x00000000
yLab\KAVFSEE\6.0\CrashDump\Folder=С:\Temp
0x00000000 – disable dump generation for the
process of the Anti-Virus console in MMC;
0x00000001 – enable dump generation for the process of the
Anti-Virus console in MMC.
Folder=С:\Temp – folder when the dump file for the process of
the Anti-Virus console in MMC will be saved in case of its abnor-
mal termination.
Specifying path to the folder with memory dump files you can use
system environmental variables; you can not use user’s environ-
mental variables.
Default value Dump files will not be created.

Appendix A 353

276.
A.2. Task schedule settings

You can configure the following task schedule settings:
 Launch frequency (see A.2.1 on pg. 353);
 Date when the schedule will be applied and the time for the task launch
(see A.2.2 on pg. 355);
 Schedule disabling date (see A.2.3 on pg. 356);
 Maximum duration of the task execution (see A.2.4 on pg. 356);
 Time period (within 24 hours) during which task will be paused (see
A.2.5 on pg. 357);
 Launching of skipped tasks (see A.2.6 on pg. 357);
 Distribution of task launch time using interval, min (see A.2.7 on pg.
358).
A.2.1. Launch frequency
Setting Launch frequency
Description This is a mandatory setting. A task may be launched with the

frequency you specified in hours, days or weeks, on the specified
weekdays after the Anti-Virus is started or bases updates are
received by the Administration Server..
Values and Allowable values include:

some rec-  Every hour. The task will be launched with the frequency
ommenda- equal to the number of hours you specified.
tions on their
usage  Daily. The task will be launched with the frequency equal to
the number of days you specified.
 Weekly. The task will be launched with the frequency equal to
the number of weeks you specified.
 At Anti-Virus startup. The task will be launched at every Anti-

Virus startup.
 After bases update (this option is not used in update tasks).
The task will be launched after every update of the Anti-Virus
database.
 After receiving updated by the Administration Server
(used only in the Application update, Application module
update and Downloading updates tasks, displayed only in
the Kaspersky Administration Kit Administration Console, not
displayed in the Anti-Virus Console in MMC). The task will be
started each time the Administration Server receives bases
updates.
Default value In local predefined tasks the Launch frequency setting by de-
fault has the following values:
 Real-time file protection - At the application startup;
 Scrip monitoring - at the application startup;
 Scan at the system startup - At the application startup;
 Verification of the application integrity - at the application star-
tup;
 Full computer scan - Weekly (Every Friday at 20:00);
 Quarantined objects scan - After the bases update;
 Application bases update – Every hour;
 Application modules update - Weekly (Every Friday at 16:00);
 Updates distribution - schedule disabled;
 Application database rollback - no schedule provided;
In all created user-defined on-demand scan tasks the schedule
will be disabled.

 in the Anti-Virus console in ММС, see section 5.7.1 on pg. 54;
313.
Appendix A 355
A.2.2. Date when the schedule will be ap-

plied and time of the first task
launch
Setting Date when the schedule will be applied and time of the first task
launch
Description The following settings are mandatory:

 Date when the schedule will be applied (Start at). Starting
with the date you specified the Anti-Virus will be launching the
task with the frequency indicated in the schedule.
 Start at (used if you selected Every hour as the value of the
Frequency setting). The Anti-Virus will launch the task for the
first time at the time you specified.
 Launch time (used if you selected Daily or Weekly as the
value of the Frequency setting). The Anti-Virus will launch the
task the time you specified with frequency indicated in the
Frequency setting.
Allowable Specify date and time.

values
Default value In all created user-defined on-demand scan tasks these settings
will be disabled.
In local predefined tasks the Launch frequency setting by default
has the following values:
 Full computer scan - every Friday at 20:00 in accordance with
the time settings configured on the protected server;
 Application bases update –every three hours;
In the schedule of the rest of the predefined tasks these settings
are disabled by default.

313.
A.2.3. Schedule disabling date
Setting Schedule disabling date (Disable schedule starting from)
Description Starting with the date you specified, the schedule will be disabled:
scheduled tasks will not be launched according to this schedule.
This setting will not be applied if you selected At the application
startup or After bases update as the value for the Launch Fre-
quency setting.
Allowable Enter the date or select it in the Calendar dialog box.

values
Default value Not provided

313.
A.2.4. Maximum duration of the task ex-

ecution
Setting Maximum duration of the task execution
Description If the execution of a task takes longer than the specified number
of hours and minutes, it will be terminated by the Anti-Virus. Task
terminated this way will not be considered skipped.
Using this setting you can specify the time for the automatic ter-
mination of the real-time protection tasks.
This setting is not used in the updating tasks.
Allowable Specify the number of hours and minutes.

values
Default value Disabled

Appendix A 357

313.
A.2.5. Time period (within 24 hours) dur-

ing which a task will be paused
Setting Time period (within 24 hours) during which a task will be paused
(Pause from… until)
Description If required, you can pause a task for a specified time period within
24 hours. For example, pausing an on-demand scan task if the
load on the server is too high and you do not wish to create addi-
tional load by the execution of this task.
This setting is not used in the updating tasks.
If, along with the above setting, you specified the Maximum task
execution time setting, note that the time period specified by this
value, during which task will be paused, will be included into the
total task execution time.
Allowable Specify a time span within a 24 hours period.

values
Default value Not specified

313.
A.2.6. Launching skipped tasks
Setting Launching skipped tasks
Description You can enable the function of launching skipped tasks. If the
Anti-Virus cannot start a task at the specified time (for example, if
the computer is turned off), the Anti-Virus will consider this task
skipped and will automatically start its execution after it is started.

startup or After bases update as the value for the Launch Fre-
quency setting.
Allowable Enabled/disabled
values

313.
A.2.7. Launch time distribution within a

time interval, min
Setting Launch time distribution within a time interval , min.
Description If you provide a value for this setting, this task will be launched at
any moment within the time interval between its scheduled launch
time and the calculated time for its launch plus the value of this
setting.
You can use this setting, for example, when you use one inter-
mediary computer for distributing updates to multiple servers, in
order to decrease the load on the intermediary computer and the
network traffic.
startup, After bases update or After receiving updates by
Administration server as the value for the Launch Frequency
setting.
Allowable Specify the number of minutes.

values
Default value Not configured

Appendix A 359

313.
A.3. Security settings in the Real-

time file protection task and
on-demand scan tasks.
The following security settings are used in the Real-time file protection task
and the on-demand scan tasks:
 Protection mode (only in the Real-time file protection task) (see A.3.1
on pg. 359);
 Detectable objects (see A.3.2 on pg. 360);
 Scan of new and modified objects only (see section A.3.3 on pg. 362);
 Scan of composite objects (see A.3.4 on pg. 363) ;
 Actions to be performed with infected objects (see A.3.5 on pg. 364);
 Actions to be performed with suspicious objects (see A.3.6 on pg. 366);
 Actions to be performed with objects depending on the threat class (see
A.3.7 on pg. 368);
 Excluding objects (see A.3.8 on pg. 369);
 Excluding threats (see A.3.9 on pg. 370);
 Maximum duration of an object scan (see A.3.10 on pg. 372);
 Maximum duration of a composite object scan (see A.3.11 on pg. 372);
 The use of iChecker technology (see A.3.12 on pg. 373);
 The use of iSwift technology (see A.3.13 on pg. 374).
A.3.1. Protection mode

The Protection Mode security setting is used only in the Real-time file protec-
tion task
Setting Protection mode

Description This setting is used only in the Real-time file protection task. It
determines the type of access to the objects that ensures that
the Anti-Virus scans such objects.
The Protection mode has the common value for the entire pro-
tection area specified in the task. You cannot specify different
values for the setting for its individual nodes.
Values and Select one of the protection modes depending on your require-
some recom- ments to the server security, on which files are stored on the
mendations server, on the format of the files are stored in and on the infor-
on their mation they contain:
usage
 Intelligent Mode. The Anti-Virus scans the object when it is
opened and rescans after it is saved, if the object was mod-
ified. If multiple calls to the object were made by the process
while ran and if the process modified it, the Anti-Virus will re-
scan the object only after the last time the object was saved
by the process.
 When opened and modified. The Anti-Virus scans the ob-
ject when it is opened and rescans it after it is saved if the
object was modified.
 When opened. The Anti-Virus scans the object when it is
opened for reading or for execution or modification.
 When executed. The Anti-Virus scans object only when it is
opened for execution.
By default objects are scanned On opening and modification
protection mode.

313.
A.3.2. Detectable objects

The Detectable objects security setting is used in the Real-time file protection
task and on-demand scan tasks.
Setting Detectable objects

Appendix A 361
Description This setting determines where all objects in the protection scope
or only objects with specified formats or extensions.
The Kaspersky Lab virus analysts draw up lists of formats and
extensions that infectable objects could have. These lists are
saved in the Anti-Virus database. When Kaspersky Lab updates
them, you will receive these updates along with the database
updates.
Using the Objects to scan, you can create your own extension
list.
Values and Select one of the following values:

some rec-
 All objects. The Anti-Virus will scan all objects irrespective of
ommenda- their extension or format;
tions on their
usage  Objects by format. Before scanning an object Anti-Virus will
determine its format. If the format of the object is included in
the list of infectable formats Anti-Virus will scan that object. If
the format of the object is not included on the list (for exam-
ple, text file cannot be infected), Anti-Virus will skip this ob-
ject.
 Objects by a specified list of extensions. The Anti-Virus
scans objects with extensions included into the list of infecta-
ble objects. If the extension of an object is not included on the
list, Anti-Virus will skip this object.
If you select value objects by extension, the scan will be
faster as compared with the scan with value objects by for-
mat selected. However, this will involve a higher risk of infec-
tion since the extensions of the objects may not correspond to
their format. For example, if an object is assigned extension
.txt, it does not necessarily mean that this object is of text
format. Such object may in fact be an executable file and may
contain a threat. But the Anti-Virus will skip such object since
the .txt extension is not included into the list of infectable ex-
tensions.
 Objects by extension masks. The Anti-Virus scans objects
with extensions that are included into the list (by default this
list is empty).
You can add new extensions or extension masks to the list
and delete existing extensions or masks from the list. You can
use the wildcards * and ? in the extension masks. In order to
restore the default list of extensions, press the Default button
in the list editing dialog box.
You can add all the extensions from the list of extensions pro-
vided by Anti-Virus. To do it, click the Default button.
Scan boot sectors of disks and of the main boot record
(MBR) This setting is applied when the scan scope includes pre-
defined areas Hard Drives and Removable Drives, a predefined
area My Computer or dynamically created drives. This setting is
not applied if the scan scope includes only the System memory,
Startup objects, Public folders areas or if the scan scope in-
cludes individual files or folders.
Scan alternate NTFS streams. The Anti-Virus scans alternate
file and folder streams on the NTFS file system drives.

 in the Anti-Virus console in ММС, in Real-Time File Protection task
see section 6.2.2.2 on pg. 74; in on-demand scan tasks - see section
9.2.2.2 on pg. 123;
268.
A.3.3. Scanning new and modified objects

only
The Scanning new and modified objects only setting is applied in the Real-
time file protection task and on-demand scan tasks.
Setting Scanning new and modified objects only
Description When scan of only new and changed objects is enabled, Anti-
Virus scans all objects in the specified protection scope (scan
scope) except those objects which it already scanned and found
clean and which have not changed since the moment of scan.
Values and Enable / Disable

some rec-
ommenda-
tions on their
usage

9.2.2.2 on pg. 123;
Appendix A 363

268.
A.3.4. Scanning composite objects

The Scanning composite objects setting is applied in the Real-time file pro-
tection task and on-demand scan tasks.
Setting Scanning composite objects
Description Scanning of composite objects takes considerable time. By de-

fault the Anti-Virus scans only composite objects of the types that
are most susceptible to infection and that, when infected, are
most harmful for the server. Composite objects of other types are
not scanned.
This setting allows the user, depending on the user's security
requirements, to select types of composite objects that the Anti-
Virus will scan.
Values and Select one or several values:

some rec-
 Archives. The Anti-Virus scans regular archives. Note that
ommenda-
Anti-Virus detects threats in regular archives of most types,
tions on their yet it disinfects only ZIP, ARJ, RAR and CAB archives;
usage
 SFX-archives. Anti-Virus scans the unpacking module in-
cluded into SFX (self-extracting) archives;
 Mail databases. The Anti-Virus scans Microsoft Outlook and
Microsoft Outlook Express mail database files;
 Packed objects. The Anti-Virus scans executable files
packed by binary code packers, such as UPX or ASPack.
Composite objects of this type contain threats more often that
other types.
 Mail format files. The Anti-Virus scans mail format files, for
instance Microsoft Office Outlook and Microsoft Outlook Ex-
press e-mail messages.
 Embedded OLE-objects. The Anti-Virus scans objects em-
bedded into Microsoft Office files. Microsoft Office files often
contain objects that may contain threats.
If the security setting Scan only new and changed objects is
disabled for the selected protection scope (scan scope), you can
enable or disable the scan of only new and changed objects for
each type of compound objects individually.
If the scan of only new and changed objects is enabled, Anti-

Virus scans all compound objects in the specified protection
scope (scan scope) on the server except those objects which it
already scanned and found clean and which have not changed
since the moment of scan.

9.2.2.2 on pg. 123;
 in Kaspersky Administration Kit, see section 19.3 on pg. 268.
A.3.5. Action to be performed with in-

fected objects
The Actions to be performed with infected objects security setting is used in
the Real-time file protection task and on-demand scan tasks.
A.3.5.1. The Real-time File Protection task
Setting Action to be performed with infected objects
Description When the Anti-Virus finds an object being scanned infected, it

will block access to the object by the application that calls to it
and performs with this object an action you have specified.
Before modifying the object (that is, before attempting to disin-
fect or delete it) the Anti-Virus places a copy of such object into
Backup - a special folder in which objects are stored in en-
crypted form. For more details about Backup see Chapter 12
on pg. 173.
Anti-Virus will not attempt to disinfect or delete the object if it
cannot first save its copy in the backup storage. Information
about why Anti-Virus was unable to disinfect or delete an object
will be displayed in the detailed task execution report.

some recom-
 Block access + disinfect. The Anti-Virus attempts to disin-
mendations on
fect the object and if disinfection is not possible it leaves the
their usage
object intact (object is not accessible by the application at-
tempting to access it);
Appendix A 365
 Block access + disinfect, delete if disinfection is not

possible. The Anti-Virus attempts to disinfect the object and
if disinfection is not possible it deletes it;
 Block access + delete. The Anti-Virus deletes the infected
object;
 Block access + perform the recommended action. Anti-
Virus automatically selects and performs the action with the
object based on the data about the threat detected in the ob-
ject and about the possibility of disinfecting it, for example,
Anti-Virus will immediately remove Trojan programs since
they do not incorporate themselves into other files and do
not infect them; therefore they do not need to be disinfected.
 Block access. Object remains intact; The Anti-Virus will not
attempt to disinfect or delete such object and will only block
access to it.

 in the Anti-Virus console in ММС see section 6.2.2.2 on pg. 74;
268.
A.3.5.2. On-Demand Scan Tasks
Setting Action to be performed with infected objects
Description When the Anti-Virus finds an object infected it performs with

it the action you have selected.
Before modifying the object (that is, before attempting to
disinfect or delete it) the Anti-Virus places a copy of such
object into Backup - a special folder in which objects are
stored in encrypted form. For more details about Backup
see Chapter 12 on pg. 173.
Anti-Virus will not attempt to disinfect or delete the object if
it cannot first save its copy in the backup storage. Informa-
tion about why Anti-Virus was unable to disinfect or delete
an object will be displayed in the detailed task execution
report.
Values and some Select one of the following values:

recommendations  Disinfect. The Anti-Virus attempts to disinfect the object
on their usage
and if disinfection is not possible it will leave the object
intact;
 Disinfect, delete if disinfection is not possible The
Anti-Virus attempts to disinfect the object and if disinfec-
tion is not possible it deletes it;
 Delete. The Anti-Virus deletes the infected object without
attempting to disinfect it;
 Perform the recommended action. The Anti-Virus au-
tomatically selects and performs the action with the ob-
ject based on the data about the threat detected in the
object and about the possibility of the object disinfection;
for example, Anti-Virus immediately deleted Trojans, as
they do not intrude into other files and do not infect them
and therefore they do not assume disinfection;
 Skip. The object will remain intact; the Anti-Virus will not
attempt to disinfect or delete it. Information about the de-
tected infected object will be saved into the detailed task
execution report.

A.3.6. Actions to be performed with sus-

picious objects
The Actions to be performed with suspicious objects security setting is used
in the Real-time file protection task and on-demand scan tasks.
A.3.6.1. The Real-time File Protection task
Setting Actions to be performed with suspicious objects
Description When the Anti-Virus finds an object suspicious it blocks access

to the object for the application trying to access it and performs
with it the action you have selected.
Appendix A 367
Before deleting the object the Anti-Virus places a copy of such

object into Backup - a special folder in which objects are stored
in encrypted form. For more details about Backup see Chapter
12 on pg. 173.

some rec-
 Block access + quarantine. The object will be moved to a
ommenda-
special folder (quarantine) in which it is stored in encrypted
tions on their
form. For more details on using the quarantine see Chapter
usage
11 on pg. 155.
 Block access + delete. Anti-Virus deletes the suspicious
object from the disk;
Anti-Virus will not delete the object if it cannot first place its copy
into Quarantine. The object will remain intact. Information about
the detected infected object will be saved into the detailed task
execution report.
 Block access + perform the recommended action. The
Anti-Virus selects and performs the action with the object
based on the data about how dangerous the threat detected
in the object is;
 Block access. The object will remain intact: Anti-Virus will not
attempt to disinfect or delete such object and will only block
access to it.

268.
A.3.6.2. On-Demand Scan Tasks
Setting Actions to be performed with suspicious objects
Description When the Anti-Virus finds an object suspicious it performs with it

the action you have selected.
Before deleting the object the Anti-Virus places a copy of such
object into Backup - a special folder in which objects are stored
in encrypted form. For more details about Backup see Chapter
12 on pg. 173.

some rec-  Quarantine. The object will be moved to a special folder (qua-
ommenda-
rantine) in which it is stored in encrypted form. For more de-
tions on their tails on using the quarantine see Chapter 11 on pg. 155;
usage
 Delete. Anti-Virus deletes a suspicious object from the disk;
Anti-Virus will not delete the object if it cannot first place its copy
into Quarantine. The object will remain intact. Information about
the detected infected object will be saved into the detailed task
execution report.
 Perform the recommended action. The Anti-Virus selects
and performs the action with the object based on the data
about how dangerous the threat detected in the object is;
 Skip. The object will remain intact; the Anti-Virus will not at-
tempt to disinfect or delete it. Information about the detected
infected object will be saved into the detailed task execution
report.

268.
A.3.7. Actions depending on threat type

The Actions depending on threat type security setting is used in the Real-time
file protection task and on-demand scan tasks.
Setting Actions depending on threat type (Actions depending on threat

type)
Description Threats of some types (classes) are more dangerous than oth-
ers. For instance a Trojan horse may inflict more considerable
damage compared with adware. Using settings of this group you
can define configure actions for Anti-Virus to perform with objects
that contain threats of various types.
If you configure values for this setting, the Anti-Virus will apply
them instead of values of the Actions to be performed infected
objects and Actions to be performed with suspicious objects
settings.
Appendix A 369
Values and For each threat type select in the list of all possible actions with
some rec- infected and suspicious objects two actions that Anti-Virus will
ommenda- attempt to perform with the object if it detects a threat of the spe-
tions on their cified type in it. If the Anti-Virus fails to perform the first action, it
usage will perform the second action you selected.
If possible, the Anti-Virus will apply selected actions both to in-
fected and to suspicious objects. For example, if you select Dis-
infect as the first action and Quarantine as the second actions,
the Anti-Virus will quarantine an infected object only if it failed to
disinfect it and it will quarantine a suspicious object immediately
without attempting to perform the Disinfect action since suspi-
cious objects are not subject to disinfection.
If you select Skip as the first action, the second action will not be
available. We recommend specifying two actions as other values.
Note that in the list of threat types Network Worms and Classic
Worms are listed under the common heading Viruses.
If Anti-Virus fails to move an object to Backup or Quarantine, it
will not take the next step on the object (for example, disinfecting
or deleting it). The object will be considered skipped. You can
also view the reason for skipping the object in the detailed report
on task performance.
The value Undefined on the list of threat types includes new
viruses currently not classified under any of the known threat
types.
For the description of threat types see 1.1.2 on pg. 14.

 in the Anti-Virus console in ММС in the Real-Time File Protection task
see section 6.2.2.2 on pg. 74, in on-demand scan tasks - see section
9.2.2.2 on pg. 123;
268.
A.3.8. Excluding objects

The Excluding objects security setting is used in the Real-time file protection
Setting Excluding objects (Exclude objects)

Description Using this setting you can exclude individual objects or groups of
objects (using filename mask) from the scan scope.
By excluding large files from the scan scope you can speed up
the file exchange and shorten the execution time of on-demand
scan tasks.
Information about excluding objects from the scan scope is en-
tered into the task execution report (according to the default re-
port settings). For more details about reports see 13.2 on pg.
186.
For on-demand scan tasks: when the Anti-Virus scans the
process in the memory, it also scans the process starting file
even if this file was added to the list of exclusions.
Values and Create a list of files. You can specify either the full file name or
some rec- use a mask. Use special symbols * and ? for creating a mask.
ommenda-
tions on their
usage
Default value The list is empty

9.2.2.2 on pg. 123;
A.3.9. Excluding threats

The Excluding threats security setting is used in the Real-time file protection
Setting Excluding threats
Description If the Anti-Virus finds an object it scans infected or suspicious

and performs actions with it while you consider this object harm-
less for the protected server, you can exclude the threat detected
in the object from the list of threats that Anti-Virus processes.
You can exclude one threat by specifying its name in a specific
object or an entire type (class) of threats. If you exclude a threat,
the Anti-Virus will find objects containing such threat not infected.
Appendix A 371
Values and Create a list of threats to be excluded (by default this list is emp-
some rec- ty). Delimit values in the list using a semicolon (;).
ommenda- In order to exclude from the scan a single object, specify the full
tions on their name of the threat in this object - the Anti-Virus line with a con-
usage clusion that the object is infected or suspicious.
The full name of the threat is determined as the result of objects'
threat. It may contain the following information:
<threat class>:<threat type>.<platform short name>.<threat
name>.<threat modification name>.
For example, you use Remote Administrator utility as the remote
administration tool. Most Anti-Virus programs refer this utility's
code to the Riskware threats type. If you do not want Anti-Virus
to block it, add the full name of the threat to the list of excluded
threats of the server file resource tree node in which the utility
files are stored.
You can specify the following as the setting's value:
 full name of the threat: not-a-
virus:RemoteAdmin.Win32.RAdmin.20. The Anti-Virus will
not perform actions with application modules of the program in
which Anti-Virus detected threat Win32.RAdmin.20.
 mask for the full threat name: not-virus:RemoteAdmin.* The
Anti-Virus will not perform actions with any version of Remote
Administrator program.
 mask of the full name of threat including only the type of the
threat: not-a-virus:* The Anti-Virus will not perform any ac-
tions with objects containing the threat of this type.
You can find the full name of a threat contained in the program in
the detailed report about the task execution. For more details
about reports see 13.2 on pg. 186.
Additionally you can find the full name of a threat detected in an
object in the Virus Encyclopedia Viruslist.com. In order to find the
name of a threat enter the name of the product in the Search
field.

9.2.2.2 on pg. 123;
268.
A.3.10. Maximum object scan time

The Maximum object scan time security setting is used in the Real-time file
protection task and on-demand scan tasks.
Setting Maximum object scan time, sec. (Stop scan if it takes longer
than…)
Description The Anti-Virus will stop scanning an object if the scan takes
longer than the number of seconds specified in the setting. In-
formation about excluding objects from the scan scope is entered
into the detailed task execution report (according to the default
report settings).
Values Enter maximum duration for the object scan in seconds.

9.2.2.2 on pg. 123;
268.
A.3.11. Maximum size of a detectable

composite object
The Maximum size of a detectable composite object security setting is used
in the Real-time file protection task and on-demand scan tasks.
Setting The maximum size of a composite detectable object, MB (Do not

scan composite objects larger than…)
Description If the size of a composite detectable object exceeds the specified

value, Anti-Virus will skip such object. Information about skipping
objects is entered into the detailed task execution report (accord-
ing to the default report settings).
Values Specify the maximum composite object size in megabytes.

Appendix A 373

9.2.2.2 on pg. 123;
268.
A.3.12. Use of iChecker technology

The Enable iChecker security setting is used in the Real-time file protection
Setting Enable iChecker
Description This setting enables and disables the use of Kaspersky Lab's
iChecker technology.
iChecker technology is only applied to infectable file types and
formats.
The iChecker technology enables you not to rescan objects on
the server that were found clean as the result of previous scans
performed by the Anti-Virus. The use of iChecker decreases the
load on the processor and disk systems and simultaneously in-
creases the speed of the scan and file exchanges.
Note that the Anti-Virus rescans an object from the rescan scope
if during the time elapsed since the time of the previous scan the
object itself has changed or scan settings have changed towards
the higher security level.
Anti-Virus enters into the report information that the object was
not scanned due to the use of iChecker technology (in accor-
dance with the default report settings).
Values Enabled/disabled

9.2.2.2 on pg. 123;
268.
A.3.13. Use of iSwift technology

The Apply iSwift security setting is used in the Real-time file protection task
and on-demand scan tasks.
Setting Enable iSwift
Description This setting enables and disables the use of Kaspersky Lab's
iSwift technology.
The iSwift technology is applied to objects of NTFS system.
The iSwift technology enables you not to rescan those objects
which were found clean by the Anti-Virus during previous scans
and objects scanned by other Kaspersky Lab's Anti-Virus 6.0
version applications. The use of iSwift decreases the load on the
processor and disk systems and simultaneously increases the
speed of the scan And file exchanges.
Note that the Anti-Virus rescans an object if during the time
elapsed since the time of the previous scan the object itself has
changed, scan settings have changed towards the higher securi-
ty level.
The Anti-Virus enters into the report information that the object
was not scanned due to the use of iSwift technology (in accor-
dance with the default report settings).
Anti-Virus uses a network version of iSwift technology called iN-
etSwift. It operates in the same way as a common iSwift version,
but allows to skip reprocessing of files received from other com-
puters running iSwift and one of the following applications.
 Kaspersky Anti-Virus 6.0 for Windows Workstations;
 Kaspersky Anti-Virus 6.0 for Windows Servers;
 Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edi-
tion;
 Kaspersky Anti-Virus 6.0 / 7.0;
 Kaspersky Internet Security 6.0 / 7.0.
The use of iNefSwift rules out reprocessing of objects within the
entire network which minimizes the Anti-Virus impact on the
speed of file exchange.
If Novell Client For Windows XP/2003 v4.71 or later is installed
on the protected server, the ISwift technology will operate within
one computer without the use of iNetSwift.
Appendix A 375
Values Enabled/disabled

9.2.2.2 on pg. 123;
268.
A.4. Automatic blocking settings for

computer access to the server
This Appendix contains description of the following settings of automatic blocking
of computers’ access to the server:
 Enabling / disabling of blocking access from computers (see A.4.1 on
pg. 375);
 Actions to be performed with infected objects (see A.4.2 on pg. 376);
 List of computers excluded from the blocking scope (see A.4.3 on pg.
377);
 Preventing virus outbreaks (see A.4.4 on pg. 378).
A.4.1. Enabling / disabling of automatic

blocking access from computers
Setting Enabling / disabling of automatic blocking access from computers
Description This setting enables or disables automatic blocking of access

from computers at the attempt to write an infected or a suspicious
file to the server.
The Anti-Virus does not automatically block access from comput-
ers if When opened or When executed option is selected as the
value of the Protection mode setting in the Real-time file pro-
tection setting. In this case you can manually block access from
infected computers.
If you enable a blocking access from computers, it will be enabled

only when the Real-time file protection task is running.
Allowable Enable / disable

values

 in the Anti-Virus console in ММС see section 7.2 on pg. 88;
 in the Kaspersky Administration Kit application, see section 20.3.1 on
pg. 280.
A.4.2. Actions to be performed with in-

fected objects
Setting Actions to be performed with infected objects
Description If automatic blocking is enabled, then once any computer in the

local network attempts to write on the protected server an in-
fected or a suspicious object, the Anti-Virus will perform the ac-
tion you have specified. You can specify one or two actions:
 Block access from computers to the server. Anti-Virus will
block access from computer to the server for the specified pe-
riod of time;
 Run executable file. Anti-Virus will start the specified execut-
able file on the server. Commands in the executable file can
define actions that will be performed by the specified applica-
tion rather than by Anti-Virus. For example an executable file
may contain command line settings that will add the infected
computer to the firewall settings if executed. You can include
the infected computer's details into the text of the executable
file using special Anti-Virus command line settings:
%COMPUTER_NAME%. When selecting an executable file
you can add command line modifiers supported by the applica-
tion launched by the executable file.
Allowable If you selected Block access from the infected computer to

values the server, specify a time period for which you wish to block
access from the computers to the server in days, hours or mi-
nutes.
Appendix A 377
If you selected Run executable file, specify the name of the ex-
ecutable file and the full path to it and specify the account under
which the executable file will be run. The executable file must be
stored on the local drive of the protected server. The account
under which the file will be executed must be registered on the
protected server or on at the domain controller into which the
protected server is included.
Default value Blocking for 15 minutes

pg. 281.
A.4.3. The trusted computers list
Setting Trusted computers list
Description You can specify a list of computers to be excluded from the au-
tomatic blocking scope - local network computers with which Anti-
Virus will not perform any actions if an attempt to write infected or
suspicious object from this computer to the protected server oc-
curs.
If you add a computer access from which is currently blocked to
this list, such computer will not be unblocked immediately after
you have saved the new blocking settings. Rather it will be
blocked only after the time period specified for its blocking has
expired or after you have unblocked it manually.
Allowable Create a list of computers excluded from blocking by specifying

values for each computer its network name, IP address or range of IP
addresses.
You can specify only network NetBIOS names of computers; but
you cannot specify DNS names.
Default value The list is empty


pg. 282.
A.4.4. Preventing virus outbreaks
Setting Virus outbreak prevention
Description If the Virus outbreak prevention function is enabled, the Anti-Virus

will increase the protection level in the running Real-time file
protection task once the number of computers with blocked
server access has reached the specified value. The Anti-Virus
applies common security settings described in Table 23 to the
entire protection area.
If the function of restoring the security level is enabled, then when
the number of computers with blocked access has decreased to
the specified value, the Anti-Virus will return to the use of the
security settings' values indicated in the Real-time file protec-
tion task.
If you change the security settings described in the Table 23, the
Real-time file protection task running after automatically raising
the security level and before it is restored, the new settings will
not be applied immediately. They will only be applied when Anti-
Virus restores the security level or you disable virus outbreak
prevention.
Information about the changes in the security settings will be en-
tered into the system audit log.
The Preventing of Virus Outbreaks function is not used if the val-
ues of the security settings in the Real-time File Protection task
are determined by the Kaspersky Administration Kit application's
policy.
Allowable You can select the following values:

values  Enable / disable the Virus outbreaks prevention function; spe-
cify the number of blocked computers that, when reached,
causes the Anti-Virus to increase the security level;
 Enable / disable the restoration of the security level, specify
the number of computers, that, when reached, will cause the
Anti-Virus to restore the security level.
Appendix A 379

If you enable the Virus outbreaks prevention function, the follow-
ing values will be applied by default:
 Threshold for increasing the security level – 25 computers;
 Threshold for restoring the security level – 15 computers.

pg. 283.
The table provided below lists the values of the security settings that are used in
the Real-time File Protection task when the number of computers with blocked
access to the server reaches the specified value.
Table 23. Values of the security settings of the Virus outbreak prevention function
Security setting Value
Protection mode (see A.3.1 on pg. when opened or modified

359);
Detectable objects (see A.3.2 on pg. by format

360)
Scan of new and modified objects Disabled

only (see A.3.3 on pg. 362)
Actions to be performed with in- disinfect, delete if disinfection is not

fected objects (see A.3.5 on pg. 364) possible
Actions to be performed with suspi- quarantine

cious objects (see A.3.6 on pg. 366);
Security setting Value
Scan of composite objects (see A.3.4 The following values of the setting are
on pg. 363) enabled:
 all SFX-archives;
 all packed objects;
 all embedded OLE-objects.
The following values of the setting do
not change:
 archives;
 mail databases;
 mail format files.
Alternate NTFS streams scan (see enabled

A.3.2 on pg. 360)
Drive boot sectors and MBR scan enabled

(see A.3.2 on pg. 360)
Maximum duration of an object scan 60 sec.

(see A.3.10 on pg. 372)
Maximum size of a composite object disabled

scan (see A.3.11 on pg. 372)
Values of the following security setting do not change:

 Excluding objects (see A.3.8 on pg. 369);
 Excluding threats (see A.3.9 on pg. 370);
 The use of iChecker technology (see A.3.12 on pg. 373);
 The use of iSwift technology (see A.3.13 on pg. 374).
A.5. Updating task settings

The Anti-Virus uses the following settings in the updating tasks:
 settings common for all updating tasks:
 Update source (see A.5.1 on pg. 381);
Appendix A 381
 FTP server mode for connection to the protected server (see

A.5.2on pg. 382);
 FTP server connection time-out (see A.5.3 on pg. 383);
 Proxy server settings;
o Accessing proxy server for connection to various update
sources (see A.5.4.1 on pg. 384);
o Address of a proxy server (see A.5.4.2 on pg. 385);
o Authentication method when accessing the proxy server (see
A.5.4.3 on pg. 385);
 Regional settings for updates downloading optimization (see A.5.5
on pg. 387);
 settings in the Application Module Updates task:
 Distribution and installation of program module updates or only
checking for releases (see A.5.6.1 on pg. 388);
 Receiving information on the release of Critical Anti-Virus patches
(see A.5.6.2 on pg. 389);
 settings of the Updates distribution task:
 The structure of updates (see A.5.7.1 on pg. 389);
 Folder to save the updates to (see A.5.7.2on pg. 390).
A.5.1. Update source
Setting Update source
Description You can select a source from which the Anti-Virus will receive
updates of bases or application modules depending on the up-
date scheme used in your organization. (Examples of the update
schemes are provided in 10.3 on pg. 139).
Allowable You can specify the following as the update source:

values  Kaspersky Lab's update servers. The Anti-Virus will down-
load all updates from one of the Kaspersky Lab's update
sources located in various geographic locations. Updates are
downloaded via HTTP or FTP protocols.
 Kaspersky Administration Kit Administration Server. You
can select this update source if you use Kaspersky Administra-
tion Kit application for centralized administration of the Anti-

Virus protection of computers in your organization. Anti-Virus
will download updates to the protected server from the Kas-
persky Administration Kit administration server installed in the
local network.
 Other HTTP, FTP servers or network resources. The Anti-
Virus will download updates from the source you have speci-
fied: folders on FTP or HTTP servers or in any computer within
the local network. You can specify one or several user-defined
sources of updates. The Anti-Virus will always try the next
specified source if the previous source is unavailable. You can
specify the order in which Anti-Virus will poll the sources, ena-
ble or disable the use of individual sources and also configure
Anti-Virus to polls Kaspersky Lab's update servers if all user-
defined sources are unavailable.
Note
You can use environmental variables by specifying the paths. If
you use user’s environmental variable specify the account for this
user in order to launch the task (see section 5.9 on page 59).
You cannot select folders on connected network drives as the
update sources.
Default value You can view the list of Kaspersky Anti-Virus update servers in
file %ALLUSERSPROFILE%\Application Data\Kaspersky
Lab\KAV for Windows Servers Enterprise Edi-
tion\6.0\Update\updcfg.xml.

 in the Anti-Virus console in ММС see section 10.5.1 on pg. 145;
303.
A.5.2. FTP server mode for connection to

the protected server
Setting FTP server mode for connection to the protected server; connec-
tion timeout (Use FTP in passive mode if possible)
Appendix A 383
Description For connecting via FTP protocol Anti-Virus uses passive FTP
server mode: it is suggested that the local area network of the
organization uses a firewall. When the passive FTP server mode
is not working, the active mode will be automatically enabled.
Allowable Select the FTP server mode. Enable or disable passive FTP
values mode.
Default value If possible, passive FTP mode

303.
A.5.3. Update source connection timeout
Parameter Connection timeout
Description This setting assigns the connection timeout for the update source.
Possible val- Specify the timeout time in seconds.

ues
Default value 10 sec

303.
A.5.4. Using and configuring a proxy serv-

er
The Anti-Virus applies the following settings to the proxy server access:
 The use of a proxy server for connection to various update sources (see
A.5.4.1 on pg. 384);
 Proxy server settings (see A.5.4.2 on pg. 385);

 Authentication method when accessing the proxy server (see A.5.4.3 on
pg. 385).
A.5.4.1. Accessing the proxy server when

connecting to update sources
Setting Accessing the proxy server when connecting to the update

sources
Description By default, Anti-Virus connects to the proxy server on the network

when connecting to the Kaspersky Lab update servers, but it by-
passes the proxy server when connecting to custom update
sources (such as HTTP or FTP servers or specified computers).
It is assume that these sources are on the local area network.
Note that file extensions of the bases update files are generated
randomly. If your proxy server of your network prohibits down-
loading of files with some extensions, we recommend that you
allow downloading of files with all extensions from Kaspersky
Lab's update servers. You can view the list of Kaspersky Lab's
update servers in file %ALLUSERSPROFILE%\Application Da-
ta\Kaspersky Lab\KAV for Windows Servers Enterprise Edi-
tion\6.0\Update\updcfg.xml.
Allowable  If you specified the Kaspersky Labs update servers as an up-

values date source, make sure that Use specified proxy server set-
tings to connect to Kaspersky Lab's update servers is se-
lected.
 If you need access to a proxy server to connect to any custom
FTP or HTTP servers, select Use specified proxy server set-
tings for custom servers.
Default value Anti-Virus accesses the proxy server only when it connects to the
Kaspersky Lab's HTTP or FTP update servers.

303.
Appendix A 385
A.5.4.2. Proxy server settings
Setting Proxy server settings
Description By default, when connection to an FTP or HTTP server, Anti-

Virus automatically detects the settings of the proxy server used
in the local network via protocol Web Proxy Auto-Discovery Pro-
tocol (WPAD). You can specify the proxy server settings manual-
ly, for example, if WPAD protocol is not set up on your LAN.
Allowable Specify the IP address or the server’s DNS name (for example,
values proxy.mycompany.com) and the port.
Disable the use of a proxy server if the user-defined FTP or
HTTP server is located in your local network.
Default value Automatically determine the proxy server settings

303.
A.5.4.3. Authentication method used when

accessing the proxy server
Setting Authentication method used when accessing the proxy server
Description This setting specifies the method used to authenticate users when
accessing the proxy server in case of establishing a connection to
the FTP or HTTP servers used as update sources.
Allowable Select one of the following:

values  Do not use authentication. Select if authentication is not re-
quired to access the proxy server.
 Use NTLM-authentication. In order to access the proxy server
the Anti-Virus will use the account specified in the task. (If the
Run as task setting does not specify another account, then the
task will be executed under the Local System (SYSTEM) ac-
count). You can select this method if the proxy server supports
in-built Microsoft Windows NTLM authentication. (for more on
using user accounts to run tasks, see 5.9.1 on pg. 59).
 Use NTLM-authentication with name and password. For
accessing the proxy server Anti-Virus will use the account you
specified. You can select this method if the proxy server sup-
ports in-built Microsoft Windows authentication.
Enter user’s login and password or select the user in the list.
 User user's name and password. You can select basic au-
thentication. Enter the username and the password of the user
or select the user in the list.
You can select this method, for example, if the account under
which the update task will be executed does not have permis-
sions for accessing the proxy server and you wish to use
another account to access the proxy server.
If basic authentication of the user based on his or her username

and passports was not successful, the Anti-Virus will perform in-
built Microsoft Windows authentication based on the aaccount
used in this task.
Default value Authentication is not performed when accessing the proxy server.

303.
Appendix A 387
A.5.5. Regional settings for optimization

of updates downloading (Location of
the protected server)
Setting Regional settings for optimization of updates downloading (Loca-

tion)
Description Kaspersky Lab's update servers are located in various geograph-

ic points. With help of this variable you can specify country of the
protected server location. The Anti-Virus optimizes the download-
ing of updates to the protected server by selecting the update
server of Kaspersky Lab closest to it.
Allowable You can specify country of the protected server location.

values
Default value By default the Anti-Virus detects location of the protected server
according to its regional settings in Microsoft Windows, for Micro-
soft Windows Server 2003 – according to the value of Location
setting set for Default User Account by the Default User Account
Settings.
For example, if you set Russia as the Location value in regional
settings of Microsoft Windows (using current user account),
meanwhile it’s value for the Default User Account is left as USA,
Anti-Virus will download the updates from the servers set not in
Russia, but in the USA.
To optimize the downloading of updates you can perform one of
the following actions:
 specify country of server’s Location in regional settings of
Microsoft Windows for the Default User Account;
 launch update task in the Anti-Virus using the current User
Account;
 select country of server’s location using update setting Loca-
tion of the protected server described in this table.

303.
A.5.6. The Application Module Updates

task settings
The following settings are used in Updating application modules task:
 Distribution and installation of critical program module updates or only
checking for their availability (see A.5.6.1 on pg. 388);
 Receiving information on the release of Critical Anti-Virus patches (see.
A.5.6.2 on pg. 389).
A.5.6.1. Distribution and installation of critical

program module updates or only checking
for releases
Parameter Distribution and installation of critical program module updates or

only checking for releases
Description Using the Updating application modules task, you can select,
immediately load, and install critical program module updates or
just check to see if any are available.
Possible val- Select one of the following values:

ues  Only check for available critical application module up-
dates. You can select this option, for example, to find out if crit-
ical module updates have been release for Anti-Virus.
 Distribute and install available critical database updates
and critical application module updates.
Default value Only check for available critical application module updates

303.
Appendix A 389
A.5.6.2. Receiving information on the release of

Critical Anti-Virus patches
Parameter Receiving information on available Anti-Virus patches
Description You can receive information on available Anti-Virus patches.

To receive notifications of upgrade releases, select Receive in-
formation on available Anti-Virus module upgrades and confi-
gure the notification for the Anti-Virus event "Program module
upgrades available", which will contain the address of the Kas-
persky Lab site where you can download the upgrades (for more
information on configuring notifications, see 15.2 on pg. 216).
Possible val- Receive / do not receive information on available Anti-Virus up-

ues grades
Default value Receive information on available Anti-Virus patches

303.
A.5.7. Updates distribution task settings

The Anti-Virus uses the following settings in the Updates distribution task:
 Update content (see A.5.7.1 on pg. 389);
 Folder to save the updates to (see A.5.7.2 on pg. 390).
A.5.7.1. Updates content
Setting Updates content
Description Using this setting, you can select which updates are downloaded.
You can only download only Anti-Virus database updates, only
critical program module updates, or all available updates. You can
also download database updates and modules for both Anti-Virus
and the other Kaspersky Lab 6.0 applications in order to distribute
those updates later to other computers on the local area network

that have that version of Kaspersky Anti-Virus applications in-
stalled.
By default, Anti-Virus saves update files in the
%ALLUSERSPROFILE%\Application Data\Kaspersky Lab\KAV
for Windows Servers Enterprise Edition\6.0\UpdateDistribution\
folder.
Allowable Select one of the following values:

values  To download and save only database updates in the specified
folder, select Download application database updates;
 To download and save only program module updates in the
specified folder, select Download program module updates;
 To download and save database and program module updates
in the specified folder, select Download database and critical
program module updates;
To download database and program module updates for both
Anti-Virus and the other Kaspersky Lab applications of version 6.0
and above applications, select Download database and module
updates for all Kaspersky Lab programs of version 6.0 and
above.
Default value The Anti-Virus downloads only the updates of the Anti-Virus
bases.

303.
A.5.7.2. Folder to save updates into
Setting Folder to save updates into
Description Using this setting you can specify the folder into which the update
files will be saved.
Allowable Specify a local or a network folder into which Anti-Virus will save
values the downloaded updates. In order to specify a network folder, en-
ter its name and the path to it in the UNC (Universal Naming Con-
vention) format.
Appendix A 391
You cannot specify folders on network drives or virtual drives

created using the SUBST command.
Specifying the path you can use environmental variables. If you
use user’s environmental variable, specify the account for this
user to launch the task (see 5.9 on page 59).
you must be included in the local administrators group on the pro-
tected server to be able to view the folders on it.
Default value %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\KAV

for Windows Servers Enterprise Edition\6.0\Update\Distribution\
You can use Anti-Virus environment variable
%KAVWSEEAPPDATA% in order to specify Anti-Virus folder
for Windows Servers Enterprise Edition\6.0\.

303.
A.6. Quarantine settings

The quarantine has the following settings:
 Quarantine settings (see A.6.1 on pg. 391);
 Maximum quarantine size (see A.6.2 on pg. 392);
 Free quarantine space threshold (see A.6.3 on pg. 393);
 Folder to save the updates to (see A.6.4 on pg. 394).
A.6.1. Quarantine folder
Setting Quarantine folder
Description You can specify a folder other than the default Quarantine folder
as the quarantine location.
Allowable Specify a folder on a local disk of the protected server (folder

values name and full path to it). Anti-Virus will begin to move objects to
the folder specified in the settings as soon as you save the new
settings value.
If the specified Quarantine folder does not exist or is not availa-
ble, Anti-Virus will use the default Quarantine folder.
When specifying the Quarantine folder, you can use system envi-
riables.
Do not set the Quarantine folder to a destination on a quorum
drive or in a cluster environment.

for Windows Servers Enterprise Edition\6.0\ Quarantine\
%KAVWSEEAPPDATA% in order to specify Anti-Virus folder

pg. 289.
A.6.2. Maximum quarantine size
Setting Maximum quarantine size
Description The value of this setting determines the maximum quarantine

size - the total amount of data in the quarantine folder.
The Maximum Quarantine Size is an information only setting. It
does not restrict the size of the quarantine folder, it is an event
registration criterion that allows administrator to monitor the sto-
rage state. After the maximum quarantine size has been reached,
Anti-Virus continues placing suspicious objects into quarantine.
You can configure a notification that the maximum quarantine
size has been exceeded. Anti-Virus will send the notification once
the total amount of data in the quarantine has reached the speci-
fied value (for more details refer to Chapter 15 on pg. 214).
Recommended setting: 200 MB.
Appendix A 393
Allowable 1– 999 MB
values
Default value None

pg. 289.
A.6.3. Free quarantine space threshold
Setting Free quarantine space threshold
Description This setting is used along with the Maximum quarantine size
setting.
Quarantine Free Space Threshold is an information only set-
ting. It does not restrict the size of the quarantine folder, but al-
lows to obtain information that the quarantine will be full shortly. If
the quarantine folder free space amount becomes less than the
set threshold, Anti-Virus registers event Quarantine Free Space
Threshold Exceeded and continues isolating suspicious objects.
You can configure a notification about event Quarantine Free
Space Threshold Exceeded (information about setting up such
notification is contained in Chapter 15 on pg. 214)
Allowable Specify the size in MB; it must be less than the value specified by
values the Maximum quarantine size setting.
Recommended setting: 50 MB
Default value None

pg. 289.
A.6.4. Folder for restoration
Setting Folder for restoration
Description The value of this setting specifies a special folder for restored
objects on the protected server.
When you restore objects you can select location where the ob-
ject being restored will be saved to: into the original location, into
a special folder for restored objects on the protected server or
into another specified folder in the computer on which Anti-Virus
console is installed or on another computer in the network.

values name and full path to it).
Specifying the path to the folder for restoration you can use sys-
tem environmental variables; you can not use user’s environmen-
tal variables.

for Windows Servers Enterprise Edition\6.0\Restored\
%KAVWSEEAPPDATA% to specify Anti-Virus folder

pg. 289.
A.7. Backup storage settings

Backup has the following settings:
 Backup storage folder (see A.7.1 on pg. 395);
 Maximum backup storage size (see A.7.2 on pg. 396);
Appendix A 395
 Free backup storage space threshold (see A.7.3 on pg. 396);

 Folder to save the updates to (see A.7.4 on pg. 397).
A.7.1. Backup storage folder
Setting Backup storage folder
Description You can specify a folder other than the default folder as Backup
location.

values name and full path to it). The Anti-Virus will switch to using the
specified folder as soon as you save the new value of the setting.
If the specified Backup folder does not exist or is not available,
Anti-Virus will use the default Backup folder.
Specifying the path to the Backup storage folder you can use
system environmental variables; you can not use user’s environ-
mental variables.
Do not set the Backup folder to a destination on a quorum drive
or in a cluster environment.

for Windows Servers Enterprise Edition\6.0\Backup\

pg. 291.
A.7.2. Maximum backup storage size
Setting Maximum backup storage size
Description The value of this setting determines the maximum backup sto-
rage size - the total amount of data in the Backup folder.
The Maximum Backup Storage Size is an information only set-
ting. It does not restrict the size of the backup storage folder, ra-
ther it is an event criterion which allows the administrator to moni-
tor the storage state. After the maximum backup storage size is
exceeded Anti-Virus will continue saving copies of infected files in
the backup storage.
You can configure an administrator's notification that the maxi-
mum backup storage size has been exceeded. Anti-Virus will
send the notification once the total amount of data in the Backup
has reached the specified value (for more details about notifica-
tions refer to Chapter 15 on pg. 214).
Recommended setting: 200 MB.
Allowable 1– 999 MB
values
Default value None

pg. 291.
A.7.3. Minimum backup storage free

space threshold
Setting Free space threshold
Description This setting is used along with the Maximum Backup Storage
Size setting.
This is an information only setting. It does not restrict the size of
the backup storage folder, but allows to obtain information that it
Appendix A 397
will be full shortly. If the backup storage folder free space amount
becomes less than the set threshold, Anti-Virus registers event
Backup Storage Free Space Threshold Exceeded and contin-
ues isolating suspicious objects.
You can configure a notification about events of this type (for
information about configuring such notifications see Chapter 15
on pg. 214).
Allowable Specify the size in MB; it must be less than the value specified by
values the Maximum backup storage size setting.
Recommended setting: 50 MB
Default value None

pg. 291.
A.7.4. Folder for restoration
Setting Folder for restoration
Description The value of this setting specifies a special folder for restored
objects for the local disk of the protected server.
When you restore files you can select where the file being res-
tored will be saved: to the original folder, to a special folder for
restored objects on the protected server or to another specified
folder in the computer on which Anti-Virus console is installed or
on another computer in the network.

values name and full path to it).
Specifying the path to the folder for restoration you can use sys-
tem environmental variables; you can not use user’s environmen-
tal variables.

for Windows Servers Enterprise Edition\6.0\Restored\

pg. 291.
APPENDIX B. KASPERSKY LAB
Founded in 1997, Kaspersky Lab has become a recognized leader in information
security technologies. It produces a wide range of data security software and
delivers high-performance, comprehensive solutions to protect computers and
networks against all types of malicious programs, unsolicited and unwanted
email messages, and hacker attacks.
Kaspersky Lab is an international company. Headquartered in the Russian Fed-
eration, the company has representative offices in the United Kingdom, France,
Germany, Japan, USA (CA), the Benelux countries, China, Poland, and Roma-
nia. A new company department, the European Anti-Virus Research Centre, has
recently been established in France. Kaspersky Lab's partner network incorpo-
rates more than 500 companies worldwide.
Today, Kaspersky Lab employs more than 450 specialists, each of whom is pro-
ficient in Anti-Virus technologies, with 10 of them holding M.B.A. degrees, 16
holding Ph.Ds, and senior experts holding membership in the Computer Anti-
Virus Researchers Organization (CARO).
Kaspersky Lab offers best-of-breed security solutions, based on its unique expe-
rience and knowledge, gained in over 14 years of fighting computer viruses. A
thorough analysis of computer virus activities enables the company to deliver
comprehensive protection from current and future threats. Resistance to future
attacks is the basic policy implemented in all Kaspersky Lab's products. At all
times, the company’s products remain at least one step ahead of many other
vendors in delivering extensive Anti-Virus coverage for home users and corpo-
rate customers alike.
Years of hard work have made the company one of the top security software
manufacturers. Kaspersky Lab was one of the first businesses of its kind to de-
velop the highest standards for Anti-Virus defense. The company’s flagship
product, Kaspersky Anti-Virus, provides full-scale protection for all tiers of a net-
work, including workstations, file servers, email systems, firewalls, Internet gate-
ways, and hand-held computers. Its convenient and easy-to-use management
tools ensure advanced automation for rapid virus protection across an enterprise.
Many well-known manufacturers use the Kaspersky Anti-Virus kernel, including
Nokia ICG (USA), F-Secure (Finland), Aladdin (Israel), Sybari (USA), G Data
(Germany), Deerfield (USA), Alt-N (USA), Microworld (India) and BorderWare
(Canada).
Kaspersky Lab's customers benefit from a wide range of additional services that
ensure both stable operation of the company's products, and compliance with
specific business requirements. Kaspersky Lab's Anti-Virus database is updated
every hour. The company provides its customers with a 24-hour technical sup-
port service, which is available in several languages to accommodate its interna-
tional clientele.
B.1. Other Kaspersky Lab Products

Kaspersky Lab News Agent
The News Agent is intended for timely delivery of news published by Kaspersky
Lab, notifications about the current status of virus activity, and fresh news. The
program reads the list of available news feeds and their content from the Kas-
persky Lab news server at specified intervals.
News Agent enables users to:
 See the current virus forecast .in the notification area of the task tray;
 Subscribe to and unsubscribe from news feeds;
 Retrieve news from each selected feed at the specified interval and re-
ceive notifications about fresh news;
 Review news on the selected feeds;
 Review the list of feeds and their status;
 Open full article text in your browser.
News Agent is a stand-alone Microsoft Windows application that can be used
independently or may be bundled with various integrated solutions offered by
Kaspersky Lab Ltd.
®
Kaspersky OnLine Scanner
This program is a free service provided to the visitors of Kaspersky Lab's corpo-
rate website. The service delivers an efficient online Anti-Virus scan of your
computer. Kaspersky OnLine Scanner runs directly from your browser. This way,
users receive quick responses to questions regarding potential infectionson their
computers. Using the service, visitors can:
 Exclude archives and e-mail databases from scanning;
 Select standard/extended databases for scanning;
 Save a report on the scanning results in .txt or .html formats.
Kaspersky® OnLine Scanner Pro

The program is a subscription service available to the visitors of Kaspersky Lab's
corporate website. The service delivers an efficient online Anti-Virus scan of your
computer and disinfects dangerous files. Kaspersky OnLine Scanner Pro runs
directly from your browser. Using the service, visitors can:
 Exclude archives and e-mail databases from scanning;
Appendix B 401
 Select standard/extended databases for scanning;

 Save a report on the scanning results in .txt or .html formats;
Kaspersky Anti-Virus® 7.0

Kaspersky Anti-Virus 7.0 is designed to safeguard personal computers against
malicious software as an optimal combination of conventional methods of Anti-
Virus protection and new proactive technologies.
The program provides for complex Anti-Virus checks, including:
 Anti-Virus scanning of e-mail traffic on the level of data transmission
protocol (POP3, IMAP and NNTP for incoming mail and SMTP for out-
going messages), regardless of the mail client being used, as well as
disinfection of e-mail databases.
 Real-time Anti-Virus scanning of Internet traffic transferred via HTTP.
 Anti-Virus scanning of individual files, folders, or drives. In addition, a
preset scan task can be used to initiate Anti-Virus analysis exclusively
for critical areas of the operating system and start-up objects of Micro-
soft Windows.
Proactive protection offers the following features:
Controls modifications within the file system. The program allows users
to create a list of applications, which it will control on a per component
basis. It helps protect application integrity against the influence of mali-
cious software.
 Monitors processes in random-access memory. Kaspersky Anti-
Virus 7.0 in a timely manner notifies users whenever it detects danger-
ous, suspicious or hidden processes or in case when unauthorized
changes in active processes occur.
 Monitors changes in OS registry due to internal system registry con-
trol.
 Hidden Processes Monitor helps protect from malicious code con-
cealed in the operating system using rootkit technologies.
 Heuristic Analyzer. When scanning a program, the analyzer emulates
its execution and logs all suspicious activity, such as, opening or writing
to a file, interrupt vector intercepts, etc. A decision is made based on
this procedure regarding possible infection of the program with a virus.
Emulation occurs in an isolated virtual environment which reliably pro-
tects the computer of infection.
 Performs system restore after malware attacks by logging all changes

to the registry and computer file system and rolls them back at user's
discretion.
Kaspersky® Internet Security 7.0

Kaspersky Internet Security 7.0 is an integrated solution for protection of person-
al computers against the major information- threats (viruses, hackers, spam and
spyware). A single interface enables fusers to configure and manage all the pro-
gram’s components.
The Anti-Virus protection features include:
 Anti-Virus scanning of e-mail traffic on the level of data transmission
protocol (POP3, IMAP and NNTP for incoming mail and SMTP for out-
going messages), regardless of the mail client being used. The program
includes plug-ins for popular e-mail clients (such as Microsoft Office
Outlook, Microsoft Outlook Express/Windows Mail, and The Bat!) and
supports disinfection of their e-mail databases.
 Real-time Anti-Virus scanning of Internet traffic transferred via HTTP.
 File system protection: Anti-Virus scanning of individual files, folders
or drives. In addition, the application can perform Anti-Virus analysis
exclusively for critical areas of the operating system and Microsoft Win-
dows start-up objects.
 Proactive protection: the program constantly monitors application ac-
tivity and processes running in random-access memory, preventing
dangerous changes to the file system and registry, and restores the
system after malicious influence.
Protection against Internet-fraud is ensured by recognition of phishing attacks,
thereby preventing confidential data leaks (above all passwords, bank account
and credit card numbers) and blocking execution of dangerous scripts on web
pages, pop-up windows and advertisement banners. The autodialer blocking
feature helps identify software that attempts to use your modem for hidden unau-
thorized connections to paid phone services and blocks such activity. Privacy
Control module keeps your confidential information secure from unauthorized
access and transmission. Parental Control is a Kaspersky Internet Security com-
ponent that monitors user access to the Internet.
Kaspersky Internet Security 7.0 registers attempts to scan the ports of your
computer, which frequently precede network attacks, and successfully defends
against typical network attacks. The program uses defined rules as a basis for
control over all network transactions tracking all incoming and outgoing data
packets. Stealth Mode (owing to the SmartStealth™ technology) prevents
computer detection from outside. When you switch to Stealth Mode, the sys-
Appendix B 403
tem blocks all network activity except for a few transactions allowed in user-
defined rules.
The program employs an all-inclusive approach to anti-spam filtering of incoming
e-mail messages:
 Verification against black and white lists of recipients (including ad-
dresses of phishing sites);
 Inspection of phrases in message body;
 Analysis of message text using a learning algorithm;
 Recognition of spam sent in image files.
Kaspersky Anti-Virus Mobile

Kaspersky® Anti-Virus Mobile provides antivirus protection for mobile devices
running Symbian OS and Microsoft Windows Mobile. The program provides
comprehensive virus scanning, including:
 On-demand scans of the mobile device's onboard memory, memory
cards, an individual folder, or a specific file; if an infected file is de-
tected, it is moved to Quarantine or deleted.
 Real-time scanning – all incoming and outgoing files are automatically
scanned, as well as files when attempts are made to access them.
 Protection from text message spam.
Kaspersky Anti-Virus for File Servers

This software package provides reliable protection for file systems on servers
running Microsoft Windows, Novell NetWare, Linux and Samba from all types of
malware. The suite includes the following Kaspersky Lab applications:
 Kaspersky Administration Kit;
 Kaspersky Anti-Virus for Windows Server;
 Kaspersky Anti-Virus for Linux File Server;
 Kaspersky Anti-Virus for Novell Netware;
 Kaspersky Anti-Virus for Samba Server.
Features and functionality:
 Protects server file systems in real time: All server files are scanned
when opened or saved on the server
 Prevents virus outbreaks;
 On-demand scans of the entire file system or individual files and folders;
 Use of optimization technologies when scanning objects in the server
file system;
 System rollback after virus attacks;
 Scalability of the software package within the scope of system re-
sources available;
 Monitoring of the system load balance;
 Creating a list of trusted processes whose activity on the server is not
subject to control by the software package;
 Remote administration of the software package, including centralized
installation, configuration, and administration;
 Saving backup copies of infected and deleted objects in case you need
to restore them;
 Quarantining suspicious objects;
 Send notifications on events in program operation to the system admin-
istrator;
 Log detailed reports;
 Automatically update program databases.
Kaspersky Open Space Security
Kaspersky Open Space Security is a software package withal new approach to
security for today's corporate networks of any size, providing centralized protec-
tion information systems and support for remote offices and mobile users.
The suite includes four programs:
 Kaspersky Work Space Security;
 Kaspersky Business Space Security;
 Kaspersky Enterprise Space Security;
 Kaspersky Total Space Security.
Specifics on each program are given below.
Appendix B 405
Kaspersky WorkSpace Security is a program for centralized protection of

workstations inside and outside of corporate networks from all of today's In-
ternet threats (viruses, spyware, hacker attacks, and spam).
 Comprehensive protection from viruses, spyware, hacker attacks,
and spam;
 Proactive Defense from new malicious programs whose signatures
are not yet added to the database;
 Personal Firewall with intrusion detection system and network at-
tack warnings;
 Rollback for malicious system modifications;
 Protection from phishing attacks and junk mail;
 Dynamic resource redistribution during complete system scans;
 Remote administration of the software package, including centra-
lized installation, configuration, and administration;
 Support for Cisco® NAC (Network Admission Control);
 Scanning of e-mail and Internet traffic in real time;
 Blocking of popup windows and banner ads when on the Internet;
 Secure operation in any type of network, including Wi-Fi;
 Rescue disk creation tools that enable you to restore your system
after a virus outbreak;
 An extensive reporting system on protection status;
 Automatic database updates;
 Full support for 64-bit operating systems;
 Optimization of program performance on laptops (Intel® Centrino®
Duo technology);
 Remote disinfection capability (Intel® Active Management, Intel ®
vPro™).
Kaspersky Business Space Security provides optimal protection of your
company's information resources from today's Internet threats. Kaspersky
Business Space Security protects workstations and file servers from all
types of viruses, Trojans, and worms, prevents virus outbreaks, and secures
information while providing instant access to network resources for users.

 Support for Cisco® NAC (Network Admission Control);
 Protection of workstations and file servers from all types of Internet
threats;
 iSwift technology to avoid rescanning files within the network;
 Distribution of load among server processors;
 Quarantining suspicious objects from workstations;
 scalability of the software package within the scope of system re-
sources available;
 Proactive Defense for workstations from new malicious programs
whose signatures are not yet added to the database;
 Scanning of e-mail and Internet traffic in real time;
tack warnings;
 Protection while using Wi-Fi networks;
 Self-Defense from malicious programs;
 Quarantining suspicious objects;
 automatic database updates.
Kaspersky Enterprise Space Security
This program includes components for protecting linked workstations and
servers from all today's Internet threats. It deletes viruses from e-mail, keep-
ing information safe while providing secure access to network resources for
users.
 Protection of workstations and file servers from viruses, Trojans,
and worms;
 Protection of Sendmail, Qmail, Postfix and Exim mail servers;
 Scanning of all e-mails on Microsoft Exchange Server, including
shared folders;
Appendix B 407
 Processing of e-mails, databases, and other objects for Lotus Do-

mino servers;
 preventing mass mailings and virus outbreaks;
sources available ;
 Support for Cisco ® NAC (Network Admission Control);
whose signatures are not yet added to the database ;
tack warnings ;
 Secure operation while using Wi-Fi networks;
 Scans Internet traffic in real time;
 Quarantining suspicious objects ;
 An extensive reporting system on protection system status;
Kaspersky Total Space Security
This solution monitors all inbound and outbound data streams (e-mail, Inter-
net, and all network interactions). It includes components for protecting
workstations and mobile devices, keeps information safe while providing se-
cure access for users to the company's information resources and the Inter-
net, and ensures secure e-mail communications.
 Comprehensive protection from viruses, spyware, hacker attacks,
and spam on all levels of the corporate network, from workstations
to Internet gateways;
whose signatures are not yet added to the database ;
 Protection of mail servers and linked servers;
 Scans Internet traffic (HTTP/FTP) entering the local area network in

real time;
sources available ;
 Blocking access from infected workstations;
 Centralized reporting on protection status;
®
 Support for Cisco NAC (Network Admission Control);
 Support for hardware proxy servers;
 Filters Internet traffic using a trusted server list, object types, and
user groups;
 iSwift technology to avoid rescanning files within the network ;
tack warnings ;
 Secure operation for users on any type of network, including Wi-Fi;
 Remote disinfection capability (Intel® Active Management, Intel®
vPro™);
 Self-Defense from malicious programs;
 full support for 64-bit operating systems;
Kaspersky Security for Mail Servers
This program is for protecting mail servers and linked servers from malicious
programs and spam. The program includes application for protecting all standard
mail servers (Microsoft Exchange, Lotus Notes/Domino, Sendmail, Qmail, Postfix
and Exim) and also enables you to configure a dedicated e-mail gateway. The
solution includes:
Appendix B 409
 Kaspersky Mail Gateway;

 Kaspersky Anti-Virus for Lotus Notes/Domino;
 Kaspersky Anti-Virus for Microsoft Exchange;
 Kaspersky Anti-Virus for Linux Mail Server.
Its features include:
 Reliable protection from malicious or potentially dangerous programs;
 Junk mail filtering;
 Scans incoming and outgoing e-mails and attachments;
 Scans all e-mails on Microsoft Exchange Server for viruses, including
shared folders;
 Processes e-mails, databases, and other objects for Lotus
Notes/Domino servers;
 Filters e-mails by attachment type;
 Quarantines suspicious objects;
 Easy-to-use administration system for the program;
 Monitors protection system status using notifications;
 Reporting system for program operation;
sources available;
Kaspersky Security for Internet Gateways
This program provides secure access to the Internet for all an organization's em-
ployees, automatically deleting malware and riskware from the data incoming on
HTTP/FTP. The solution includes:
 Kaspersky Anti-Virus for Proxy Server;
 Kaspersky Anti-Virus for Microsoft ISA Server;
 Kaspersky Anti-Virus for Check Point FireWall-1.
Its features include:

 Reliable protection from malicious or potentially dangerous programs;
 Scans Internet traffic (HTTP/FTP) in real time;
 Filters Internet traffic using a trusted server list, object types, and user
groups;
 Quarantines suspicious objects;
 Easy-to-use administration system;
 Reporting system for program operation;
 Support for hardware proxy servers;
 Scalability of the software package within the scope of system re-
sources available;
 Automatic database updates.
Kaspersky® Anti-Spam
Kaspersky® Anti-Spam is a cutting-edge software suite designed to help organi-
zations with small- and medium-sized networks wage war against the onslaught
of unsolicited e-mail messages (spam). The product combines the revolutionary
technology of linguistic analysis with modern methods of e-mail filtration, includ-
ing DNS Black Lists and formal letter features. Its unique combination of services
allows users to identify and wipe out up to 95% of unwanted traffic.
Installed at the entrance to a network, where it monitors incoming e-mail traffic
streams for spam, Kaspersky® Anti-Spam acts as a barrier to unsolicited e-mail.
The product is compatible with any mail system and can be installed on either an
existing mail server or a dedicated one.
Kaspersky® Anti-Spam’s high performance is ensured by daily updates to the
content filtration database, adding samples provided by the Company’s linguistic
laboratory specialists. Databases are updated every 20 minutes.
®
Kaspersky Anti-Virus for MIMESweeper
®
Kaspersky Anti-Virus for MIMESweeper provides high-speed scanning of traffic
on servers running Clearswift MIMEsweeper for SMTP / Clearswift MIMEswee-
per for Exchange / Clearswift MIMEsweeper for Web.
The program is a plug-in and scans for viruses and processes inbound and out-
bound e-mail traffic in real time.
Appendix B 411
B.2. Contact Us
If you have any questions, comments, or suggestions, please refer them to one
of our distributors or directly to Kaspersky Lab. We will be glad to assist you in
any matters related to our product by phone or via email. Rest assured that all of
your recommendations and suggestions will be thoroughly reviewed and consi-
dered.
Technical Please find the technical support information at

support http://www.kaspersky.com/supportinter.html
Helpdesk: www.kaspersky.com/helpdesk.html
General WWW: http://www.kaspersky.com
information http://www.viruslist.com
Email: info@kaspersky.com
APPENDIX C. INDEX
. Including network paths into the Attempt self-recover no more
scan area 117 than … times 343
5.2.2.3. Saving settings set into a Backup copying of objects before
template. Applying template 127 disinfection/deletion 173
6.5. Rolling back Anti-Virus Backup storage statistics 183
database updates 154 Bases 17
About 33 Bases are obsolete 346
About updating Anti-Virus bases136 Bases are outdated 346
About updating application modules Block access 364
138 Block access + delete 364
Access to COM applications 29 Block access + disinfect 364
Access to the Anti-Virus functions Block access + disinfect, delete if
34 disinfection is not possible 364
Account Local System (SYSTEM) Blocking access from computers 87
59 Classic viruses 15
Action to be performed with infected Configuration and control using
objects in the on-demand scan Kaspersky Administration Kit 251
tasks 365 Configuring automatic blocking of
Action to be performed with infected access from computers 375
objects in the Real-time File Configuring backup storage settings
Protection task 364 182
Actions to be performed with Configuring Download updates task
objects depending on the type of settings 152
threat 368 Configuring notifications 214
Actions to be performed with Configuring on-demand tasks 112
suspicious objects in the Real- Configuring quarantine settings 169
Time File Protection task 366 Configuring Real-time file protection
Adding or deleting a key 240 task 62
Adware 17 Configuring security settings 71
All objects 361 Configuring security settings
anti-virus bases 17 manually 74, 123
Anti-Virus command line Configuring Updating application
commands 225 modules task settings 150
Anti-Virus console 34 Configuring updating tasks 144
Anti-Virus console in MMC 25 Configuring Updating Tasks 380
Anti-Virus icon in the notification Connect to another computer 32
area of the task tray Creating a task 50
colored, black and white 32 Creating Anti-Virus processes
Anti-Virus service 38 memory dump files 351
Anti-Virus startup or shutdown 227 Creating Tracking log 348
Anti-Virus statistics 203 Debug file folder 348
Application integriy control 111 Default backup storage settings 394
Archives 363 Default quarantine settings 391
Appendix D 413
Defining a scan area in the on- Event generation thresholds 346

demand scan tasks 114 Event log 207
Defining protection scope in the Event registration 185
Real-time file protection task 65 Events in reports and event log 197
Deleting files from the backup Excluding objects 369
storage 181 Excluding threats 370
Deleting objects from quarantine exporting 44
166 Filtering events in System audit 201
Deleting objects from System audit Filtering quarantined objects 159
202 Folder for restored objects 394
Deleting reports 196 Full computer scan 111
Deleting tasks 53 Full computer scan has not been
Detectable objects 360 performed for a long time 346
Disable schedule starting from 356 General Anti-Virus settings 40
Display Anti-Virus icon 33 Generate Tracking log 349
Displaying Anti-Virus command Group tasks 49
help 227 Hide the Anti-Virus icon 33
Distribution of task launch time 353 Importing settings 44
Do not store events for longer than Including dynamic drives, folders
… days 344 and files into the protection area
Do not store reports and events 68
for longer than … days 344 infected 18
Do not store reports and events Intelligent Mode 360
longer than 41 Isolation of suspicious objects 155
Do not store reports and events JScript 13
longer than … days 41 Kaspersky Administration Kit
Downloading updates directly from Administration Server 381
the Internet to the protected Kaspersky Anti-Virus console 33
server 140 Kaspersky Anti-Virus Console 31
Downloading updates from an Kaspersky Lab's update sources
intermediary computer 140 381
Downloading updates via KAVSHELL DUMP 242
Kaspersky Administration Kit KAVSHELL FULLSCAN 232
administration server 141 KAVSHELL HELP 227
E-mail notification 215 KAVSHELL LICENSE 240
Embedded OLE-objects 363 KAVSHELL ROLLBACK 239
Enabling and disabling dump KAVSHELL RTP 235
creation 242 KAVSHELL SCAN 228
Enabling and disabling schedule 58 KAVSHELL START 227
Enabling or disabling automatic KAVSHELL STOP 227
blocking of access from KAVSHELL TASK 233
computers 88 KAVSHELL TRACE 241
Enabling, configuring and disabling KAVSHELL UPDATE 235
the tracking log 241 Key management 36
Error diagnosis 349 Launch frequency 353
Error diagnostics 347, 348, 350 Launch time distribution 358
Launching skipped tasks 357 Packed objects 363

Local tasks 48 Pause from… until 357
Mail databases 363 Pausing tasks 53
Mail format files 363 Perform self-recovery not more
Malware 16 than … times 41
Manage permissions 36 Permissions 36
Manage reports 36 Pornware 16
Managing permissions 35, 36 Port TCP 135 30
Managing the specified task in potentially containing malicious
asynchronous mode 233 code 18
Maximum number of processes 340 Protection mode 359
Maximum number of working Quarantine and Backup
processes 40 management 36
Maximum object scan time 372 Quarantine location 391
Maximum protection level 71 Quarantine statistics 171
Maximum quarantine size 392 Read permissions 36
Maximum size of a detectable Read settings 35
composite object 372 Read statistics 35
Maximum Speed level 71 Real-time file protection task
Microsoft Windows NET SEND 215 statistics 83
Microsoft Windows NET SEND Real-time protection 13, 62
notifications 214 Renaming tasks 52
Minimum quarantine free space Reports storage period 344
amount 393 Restoring files from the backup
Modify settings 36 storage 178
Network worms 15 Restoring objects from quarantine
Number of processed used by the 162
real-time protection tasks 341 Resuming tasks 53
Number of processes for Return codes 245
background on-demand scan Revision date 2
tasks 342 Rollback of the Anti-Virus bases
Number of processes for update (command line) 239
background on-demand scan Rolling back application modules
tasks 342 update 154
Number of processes to run real- Run as 60
time protection tasks 41 Run executable file 215
Number of working processes to Saving settings 52
run background scan tasks 41 Saving settings set into a template.
Objects by a specified list of Applying template 79
extensions 361 Saving tasks after changing its
Objects by extension masks 361 settings 52
Objects by format 361 Scan alternate NTFS streams 361
On-demand scan 13 Scan at system startup 111
On-demand scan task statistics 133 Scan boot sectors of disks and of
On-demand scan tasks 111 the main boot record (MBR) 361
Other malware programs 16 Scan My Computer 111
Appendix D 415
Scan Quarantine 111 Task categories 48

Scanning composite objects 363 Task execution reports 186
Scanning quarantined objects. The Task launch time 355
Scan Quarantine task settings160 Task management 35, 48
Scanning selected area 228 Task schedule 53
Schedule enable date 355 Task statistics 58
Script monitoring task statistics 86 Task status management 35
Searching for files in the backup TCP port 135 30
storage 176 Technical Support Service 411
Security settings Terminal service windows 214
Applying a template 78, 127, 128 The list of subsystems codes for
Selecting pre-defined security adding to the tracking log 350
levels 120 Tracking Anti-Virus subsystems 350
Selecting pre-defined security Tracking log 347
levels in the Real-time file Trojans 15
protection task 71 Types of threats 14
Self-extracting archives 363 Unblocking access from a computer
Self-recovery 343 97
Sending suspicious object to Updates 33
Kaspersky Lab for analysis 167 Updating of Anti-Virus bases and
Sorting events in System audit 200 application modules 136
Sorting files in the backup storage Updating task statistics 153
176 Updating tasks 143
Sorting quarantined objects 158 Use of iChecker™ technology 373
Sorting reports 191 Use of iSwift™ technology 374
Special permissions 37 Use of uninterruptible power supply
Start at 355 345
Starting Anti-Virus bases update User-defined tasks 49
task 235 User-defined update sources 381
Starting Anti-Virus service 38 Using a different account to launch
Starting or stopping real-time a task 59
protection tasks 235 Using Backup storage 173
Starting tasks 53 Using quarantine 155, 156
Starting the Anti-Virus console from VBScript 13
the Start menu 31 View reports 36
Starting the Scan my computer task Viewing blocking statistics 97
232 Viewing detailed report about task
stopping Anti-Virus service 38 execution 191
Stopping tasks 53 Viruses 15
suspicious 18 Virware 15
Suspicious scripts When executed 360
Block or allow execution 85 When opened 360
System audit 199 When opened and modified 360
System audit log storage period 344 Write debug information into the file
System tasks 48 347
System Tray Application 33
APPENDIX D. LICENSE
AGREEMENT
Standard End User License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL
AGREEMENT (“AGREEMENT”), FOR THE LICENSE OF KASPERSKY ANTI-
VIRUS 6.0 FOR WINDOWS SERVERS ENTERPRISE EDITION (“SOFTWARE”)
PRODUCED BY KASPERSKY LAB (“KASPERSKY LAB”).
IF YOU HAVE PURCHASED THIS SOFTWARE VIA THE INTERNET BY
CLICKING THE ACCEPT BUTTON, YOU (EITHER AN INDIVIDUAL OR A
SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF
THIS AGREEMENT, CLICK THE BUTTON THAT INDICATES THAT YOU DO
NOT ACCEPT THE TERMS OF THIS AGREEMENT AND DO NOT INSTALL
THE SOFTWARE.
IF YOU HAVE PURCHASED THIS SOFTWARE ON A PHYSICAL MEDIUM,
HAVING BROKEN THE CD’S SLEEVE YOU (EITHER AN INDIVIDUAL OR A
SINGLE ENTITY) ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.
IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT DO
NOT BREAK THE CD’s SLEEVE, DOWNLOAD, INSTALL OR USE THIS
SOFTWARE.
IN ACCORDANCE WITH THE LEGISLATION, REGARDING KASPERSKY
SOFTWARE INTENDED FOR INDIVIDUAL CONSUMERS PURCHASED
ONLINE FROM THE KASPERSKY LAB OR ITS PARTNER’S INTERNET WEB
SITE, CUSTOMER SHALL HAVE A PERIOD OF FOURTEEN (14) WORKING
DAYS AS FROM THE DELIVERY OF PRODUCT TO MAKE RETURN OF IT TO
THE MERCHANT FOR EXCHANGE OR REFUND, PROVIDED THE
SOFTWARE IS NOT UNSEALED.
REGARDING THE KASPERSKY SOFTWARE INTENDED FOR INDIVIDUAL
CONSUMERS NOT PURCHASED ONLINE VIA INTERNET, THIS SOFTWARE
NEITHER WILL BE RETURNED NOR EXCHANGED EXCEPT FOR
CONTRARY PROVISIONS FROM THE PARTNER WHO SELLS THE
PRODUCT. IN THIS CASE, KASPERSKY LAB WILL NOT BE HELD BY THE
PARTNER'S CLAUSES.
THE RIGHT TO RETURN AND REFUND EXTENDS ONLY TO THE ORIGINAL
PURCHASER.
1. License Grant. Subject to the payment of the applicable license fees, and sub-
ject to the terms and conditions of this Agreement, Kaspersky Lab hereby grants
Appendix D 417
you the non-exclusive, non-transferable right to use one copy of the specified
version of the Software and the accompanying documentation (the “Documenta-
tion”) for the term of this Agreement solely for your own internal business pur-
poses.
1.1 Use. The number of computers that User may protect by the Software is spe-
cified in the License Key File and indicated in the “Service” window. The Soft-
ware may not be used to protect any networks with more than this number of file
servers.
1.1.1 The Software is “in use” on a computer when it is loaded into the temporary
memory (i.e., random-access memory or RAM) or installed into the permanent
memory (e.g., hard disk, CD-ROM, or other storage device) of that computer.
This license authorizes you to make only as many back-up copies of the Soft-
ware as are necessary for its lawful use and solely for back-up purposes, pro-
vided that all such copies contain all of the Software’s proprietary notices. You
shall maintain records of the number and location of all copies of the Software
and Documentation and will take all reasonable precautions to protect the Soft-
ware from unauthorized copying or use.
1.1.2 The Software protects computer against viruses whose signatures are con-
tained in the threat signatures database which is available on Kaspersky Lab's
update servers.
1.1.3 If you sell the computer on which the Software is installed, you will ensure
that all copies of the Software have been previously deleted.
1.1.4 You shall not decompile, reverse engineer, disassemble or otherwise re-
duce any part of this Software to a humanly readable form nor permit any third
party to do so. The interface information necessary to achieve interoperability of
the Software with independently created computer programs will be provided by
Kaspersky Lab by request on payment of its reasonable costs and expenses for
procuring and supplying such information. In the event that Kaspersky Lab noti-
fies you that it does not intend to make such information available for any reason,
including (without limitation) costs, you shall be permitted to take such steps to
achieve interoperability, provided that you only reverse engineer or decompile
the Software to the extent permitted by law.
1.1.5 You shall not make error corrections to, or otherwise modify, adapt, or
translate the Software, nor create derivative works of the Software, nor permit
any third party to copy (other than as expressly permitted herein).
1.1.6 You shall not rent, lease or lend the Software to any other person, nor
transfer or sub-license your license rights to any other person.
1.1.7 You shall not use this Software in automatic, semi-automatic or manual
tools designed to create virus signatures, virus detection routines, any other data
or code for detecting malicious code or data.
1.1.8 Kaspersky Lab may ask User to install the latest version of the Software
(the latest version and the latest maintenance pack).
1.1.9 Removal of Potentially Harmful Products. You acknowledge and agree that,
in addition to detecting harmful and malicious software, the Product may also
identify, remove and/or disable potentially harmful products, including those that
are regarded or classified as Adware, Riskware, Pornware etc.
2. Support.
(i) Kaspersky Lab will provide you with the support services (“Support Ser-
vices”) as defined below for a period, specified in the License Key File and
indicated in the "Service" window, since the moment of purchasing on:
(a) payment of its then current support charge, and:
(b) Kaspersky Lab's technical support service is also entitled to de-
mand from the End User additional registration for identifier award-
ing for Support Services rendering.
(c) Until Software activation and/or obtaining of the End User identifier
(Customer ID) technical support service renders only assistance in
Software activation and registration of the End User.
(ii) By completion of the Support Services Subscription Form you consent to
the terms of the Kaspersky Lab Privacy Policy, which is deposited on
www.kaspersky.com/privacy, and you explicitly consent to the transfer of
data to other countries outside your own as set out in the Privacy Policy.
(iii) Support Services will terminate unless renewed annually by payment of
the then-current annual support charge and by successful completion of
the Support Services Subscription Form again.
(iv) “Support Services” means:
(a) Hourly updates of the Anti-Virus database;
(b) Free software updates, including version upgrades;
(c) Technical support via Internet and hot phone-line provided by Ven-
dor and/or Reseller;
(d) Virus detection and disinfection updates in 24-hours period.
(v) Support Services are provided only if and when you have the latest ver-
sion of the Software (including maintenance packs) as available on the
official Kaspersky Lab website (www.kaspersky.com) installed on your
computer.
3. Ownership Rights. The Software is protected by copyright laws. Kaspersky
Lab and its suppliers own and retain all rights, titles and interests in and to the
Software, including all copyrights, patents, trademarks and other intellectual
Appendix D 419
property rights therein. Your possession, installation, or use of the Software does
not transfer any title to the intellectual property in the Software to you, and you
will not acquire any rights to the Software except as expressly set forth in this
Agreement.
4. Confidentiality. You agree that the Software and the Documentation, including
the specific design and structure of individual programs constitute confidential
proprietary information of Kaspersky Lab. You shall not disclose, provide, or oth-
erwise make available such confidential information in any form to any third party
without the prior written consent of Kaspersky Lab. You shall implement reason-
able security measures to protect such confidential information, but without limi-
tation to the foregoing shall use best endeavours to maintain the security of the
activation code.
5. Limited Warranty.
(i) Kaspersky Lab warrants that for six (6) months from first download or in-
stallation the Software purchased on a physical medium will perform sub-
stantially in accordance with the functionality described in the Documenta-
tion when operated properly and in the manner specified in the Documen-
tation.
(ii) You accept all responsibility for the selection of this Software to meet your
requirements. Kaspersky Lab does not warrant that the Software and/or
the Documentation will be suitable for such requirements nor that any use
will be uninterrupted or error free.
(iii) Kaspersky Lab does not warrant that this Software identifies all known
viruses, nor that the Software will not occasionally erroneously report a vi-
rus in a title not infected by that virus.
(iv) Kaspersky Lab does not warrant that this Software provides protection
after expiring date (see .2 (i))
(v) Your sole remedy and the entire liability of Kaspersky Lab for breach of
the warranty at paragraph (i) will be at Kaspersky Lab option, to repair, re-
place or refund of the Software if reported to Kaspersky Lab or its desig-
nee during the warranty period. You shall provide all information as may
be reasonably necessary to assist the Supplier in resolving the defective
item.
(vi) The warranty in (i) shall not apply if you (a) make or cause to be made any
modifications to this Software without the consent of Kaspersky Lab, (b)
use the Software in a manner for which it was not intended, or (c) use the
Software other than as permitted under this Agreement.
(vii) The warranties and conditions stated in this Agreement are in lieu of all
other conditions, warranties or other terms concerning the supply or pur-
ported supply of, failure to supply or delay in supplying the Software or the
Documentation which might but for this paragraph (vi) have effect be-
tween the Kaspersky Lab and your or would otherwise be implied into or
incorporated into this Agreement or any collateral contract, whether by
statute, common law or otherwise, all of which are hereby excluded (in-
cluding, without limitation, the implied conditions, warranties or other
terms as to satisfactory quality, fitness for purpose or as to the use of rea-
sonable skill and care).
6. Limitation of Liability.
(i) Nothing in this Agreement shall exclude or limit Kaspersky Lab’s liability
for (a) the tort of deceit, (b) death or personal injury caused by its breach
of a common law duty of care or any negligent breach of a term of this
Agreement, or (c) any other liability which cannot be excluded by law.
(ii) Subject to paragraph (i) above, Kaspersky Lab shall bear no liability
(whether in contract, tort, restitution or otherwise) for any of the following
losses or damage (whether such losses or damage were foreseen, fore-
seeable, known or otherwise):
(a) Loss of revenue;
(b) Loss of actual or anticipated profits (including for loss of profits on
contracts);
(c) Loss of the use of money;
(d) Loss of anticipated savings;
(e) Loss of business;
(f) Loss of opportunity;
(g) Loss of goodwill;
(h) Loss of reputation;
(i) Loss of, damage to or corruption of data, or:
(j) Any indirect or consequential loss or damage howsoever caused
(including, for the avoidance of doubt, where such loss or damage
is of the type specified in paragraphs (ii), (a) to (ii), (i).
(iii) Subject to paragraph (i), the liability of Kaspersky Lab (whether in con-
tract, tort, restitution or otherwise) arising out of or in connection with the
supply of the Software shall in no circumstances exceed a sum equal to
the amount equally paid by you for the Software.
7. This Agreement contains the entire understanding between the parties with
respect to the subject matter hereof and supersedes all and any prior under-
standings, undertakings and promises between you and Kaspersky Lab, whether
oral or in writing, which have been given or may be implied from anything written
or said in negotiations between us or our representatives prior to this Agreement
Appendix D 421
and all prior agreements between the parties relating to the matters aforesaid
shall cease to have effect as from the Effective Date.
________________________________________________________________
When using demo software, you are not entitled to the Technical Support specified in
Clause 2 of this EULA, nor do you have the right to sell the copy in your possession to
other parties.
You are entitled to use the software for demo purposes for the period of time
specified in the license key file starting from the moment of activation (this period
can be viewed in the Service window of the software's GUI).

Kav6.0 Wseeadminguide en

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Kav6.0 Wseeadminguide en

Transféré par

Droits d'auteur :

Formats disponibles

KASPERSKY LAB

Kaspersky Anti-Virus 6.0 for

Revision date: July, 2008

CHAPTER 2. WORKING WITH ANTI-VIRUS CONSOLE IN MMC AND ACCESS

CHAPTER 3. GENERAL ANTI-VIRUS SETTINGS .................................................. 40

CHAPTER 4. IMPORTING AND EXPORTING ANTI-VIRUS SETTINGS............... 44

CHAPTER 5. TASK MANAGEMENT ....................................................................... 48

CHAPTER 6. REAL-TIME PROTECTION ................................................................ 62

CHAPTER 7. BLOCKING ACCESS FROM COMPUTERS IN THE REAL-TIME

7.3. Configuring settings of automatic access blocking from computers................. 89

CHAPTER 8. TRUSTED ZONE................................................................................ 99

CHAPTER 9. ON-DEMAND SCAN ........................................................................ 111

CHAPTER 10. UPDATING ANTI-VIRUS BASES AND APPLICATION MODULES136

10.8. Rolling back application modules update .................................................... 154

CHAPTER 11. ISOLATION OF SUSPICIOUS OBJECTS. USING QUARANTINE 155

CHAPTER 12. BACKUP COPYING OF OBJECTS BEFORE

CHAPTER 13. EVENT REGISTRATION................................................................ 185

13.3.2. Filtering events in System audit log ...................................................... 201

CHAPTER 14. INSTALLING AND DELETING LICENSE KEYS ............................ 209

CHAPTER 15. CONFIGURING NOTIFICATIONS ................................................. 214

CHAPTER 16. ANTI-VIRUS COMMAND LINE COMMANDS ................................ 225

CHAPTER 17. RETURN CODES........................................................................... 245

CHAPTER 19. CREATING AND CONFIGURING POLICIES................................. 261

CHAPTER 20. CONFIGURING ANTI-VIRUS IN THE APPLICATION SETTINGS

CHAPTER 21. CREATING AND CONFIGURING TASKS ..................................... 303

21.3. Configuring a task ....................................................................................... 313

CHAPTER 22. PERFORMANCE COUNTERS FOR SYSTEM MONITOR ............ 318

CHAPTER 23. ANTI-VIRUS SNMP COUNTERS AND TRAPS ............................. 326

APPENDIX A. DESCRIPTION OF GENERAL ANTI-VIRUS SETTINGS AND

A.1.8. Event generation thresholds .................................................................. 346

A.5.5. Regional settings for optimization of updates downloading (Location of

APPENDIX B. KASPERSKY LAB........................................................................... 399

APPENDIX C. INDEX ............................................................................................. 412

APPENDIX D. LICENSE AGREEMENT................................................................. 416

1.1. General Anti-Virus information

performance counters for the "System Monitor" application as well as SNMP

1.1.1. Real-time protection and on-demand

The task of real-time Anti-Virus server protection is to ensure maximum server

1.1.2. About threats detectable by Anti-

Viruses and worms (Virware)

Trojans (classes Trojan, Backdoor, Rootkit and others) perform on computers

Porn dialers connect to pay-per-virus pornographic internet resources using a

1.1.3. About infected and suspicious

1.2. Obtaining information about

 receive a response from a Technical Support specialist if you already

1.2.1. Sources of information to research

1.2.2. Contacting the Sales Department

+7 (495) 797-87-00, +7 (495) 645-79-39, +7 (495) 956-70-00.

1.2.3. Contacting the Technical Support

You will receive a Technical Support service specialist's response to your e-

1.2.4. Discussing Kaspersky Lab's

This chapter contains the following information:

2.1. About the Anti-Virus console in

2.2. Advanced configuration after

2.2.1. Adding Anti-Virus users to the

 in order to disallow the user to remotely manage Anti-Virus using

2.2.2. Allowing network connections for

2.2.3. Enabling network connections for the

2.2.4. Enabling network connections for the

8. Specify file kavfsrcn.exe in the Add a program dialog box. It is stored in

2.3. Starting the Anti-Virus console

Figure 1. The Anti-Virus console window

2. If you started the Anti-Virus console on a remote computer rather than