Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Safe'n'Sec2
© 2010 S.N.Safe & Software Ltd.
Table of Contents0
Chapter I Introduction 4
................................................................................................................................... 41 What is Safe'n'Sec
................................................................................................................................... 52 How it works
................................................................................................................................... 63 System requirements
Chapter II Graphical User Interface 7
................................................................................................................................... 71 System tray icon
................................................................................................................................... 72 Context menu
................................................................................................................................... 83 Control panel
......................................................................................................................................................... 8Protection status
......................................................................................................................................................... 9Scan
......................................................................................................................................................... 10Program update
......................................................................................................................................................... 10License
......................................................................................................................................................... 11Help and support
Chapter III Getting started 12
................................................................................................................................... 121 Program activation
................................................................................................................................... 132 Program update
................................................................................................................................... 133 Scan
................................................................................................................................... 144 Create system profile
Chapter IV Protection 15
................................................................................................................................... 161 Activity control
................................................................................................................................... 172 Learning mode
................................................................................................................................... 183 Control policy
......................................................................................................................................................... 19Activity policies
.................................................................................................................................................. 21File system
.................................................................................................................................................. 21System Registry
.................................................................................................................................................. 22Netw ork
.................................................................................................................................................. 23Devices
......................................................................................................................................................... 23Processes and applications
......................................................................................................................................................... 25Application properties
.................................................................................................................................................. 26Common properties
.................................................................................................................................................. 27Activity log
.................................................................................................................................................. 28Custom rules
................................................................................................................................... 284 Notifications
......................................................................................................................................................... 29Unknown application launch
......................................................................................................................................................... 30Policy violation
Chapter V Scan 31
................................................................................................................................... 331 Objects
3Table of Contents
© 2010 S.N.Safe & Software Ltd.
................................................................................................................................... 332 Scan results
................................................................................................................................... 343 Threats detected
Chapter VI Program update 35
Chapter VII Settings 37
................................................................................................................................... 371 Activity control
................................................................................................................................... 392 Scan
................................................................................................................................... 403 Updates
................................................................................................................................... 404 Interface
................................................................................................................................... 415 Reports
................................................................................................................................... 426 Notifications
................................................................................................................................... 427 Program recovery
Chapter VIII S.N.Safe'n'Software 43
Index 45
4 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
1 Introduction
Dear customer!
S.N.Safe & Software Ltd. thanks you for choosing the Safe'n'Sec. Our experts do their most to make the
program both meet the highest requirements in the field of information protection and be handy in use.
We believe that the Safe'n'Sec will be helpful for you. This manual is a property of the S.N.Safe &
Software Ltd. and must not be used without prior written permission from the company. It is prohibited
to reproduce parts of this manual, make changes, distribute electronically or by any other means
without prior written permission from the company and a reference to the source.
All the names used throughout this manual are trademarks of the S.N.Safe & Software Ltd. company and
other respective owners.
Contents of the manual may change without notice. Please, send your feedback to support@safensoft.
com.
S.N.Safe & Software Ltd., 2004-2010
All rights reserved
1.1 What is Safe'n'Sec
The Safe'n'Sec is a program which aims at protecting your data from unknown threats and
vulnerabil ities. The program util izes bleeding edge technologies to detect malicious code. These are
the proactive technologies. A threat is identified solely by its behaviour, disregarding its executable
code. Furthermore, it absolutely makes no difference what kind of threat it is: a virus, a hacker
attack, a trojan program, etc.
The Safe'n'Sec ensures that:
data is protected from new viruses and hacker attracts by means of strict control of any sort ofactivity that might occur on a computer. Any software activity is examined in detail and in case anythreat is detected all unsafe operations are securely blocked.the system is protected from break-in and unauthorized access via detecting exploit attacks, systemregistry and services changes, and by restricting access to your data (documents, address books,logo, etc).well-known malicious programs are searched for and neutralized (viruses, trojan programs,network worms, spy programs, etc.) on a computer. Antivirus bases of the famous antivirussoftware vendors are used during the search. This feature is available only you have purchased theextended delivery set.it is automatically updated via the Internet. Our experts continually study new threats andvulnerabil ity development trends. This knowledge helps them build update packets that are
5Introduction
© 2010 S.N.Safe & Software Ltd.
automatically delivered to your computer at proper time.detailed reports regarding the functioning of the program are kept. The reports are stored in a formof a plain text fi les. You can view the reports at any time you wish.
It is not a malicious code that threatens your data, but what the code actually does. A virus can l ive
in a computer for years without ever causing any harm at all . Your data gets corrupted not by the
virus itself, but due to the malicious actions it performs. Reactive technologies such as anti-viruses
are able to detect malicious software only if a corresponding virus signature record exists in an
anti-virus database whereas proactive technologies are able to detect a malicious program when it
tries to perform harmful actions. Thus, proactive technologies are always a step ahead of reactive
ones.
1.2 How it works
The main purpose of a protection system is that it must preserve the initial integrity of the Operating
System and all its components, including those that were installed by you. Any change to the Operating
System components integrity can be introduced by no one, but you alone. The standard integrity control
is implemented in an original manner. The program carries out automatic setup during which it checks
the Operating System components integrity and records them in a service database. Any executable
module is loaded only after it successfully passes a test against the service database. Any unknown
application (the application that has no record in the service database associated with it) can be
started and executed only in the current Operating System session and only if it is you who initiated its
startup. It is you who is responsible for making a decision on whether a new application should be
considered as a system component.
Let us consider an attack scenario during which a flaw in an Operating System component (web
browser, e-mail cl ient, instant messenger, P2P client, etc.) is exploited. During execution of a malicious
shell code the following steps are taken:
new executable modules are installed (copied to the system directory) and registered to be auto-started during the Operating System start;one or more Operating System components are infected. The intruder's goal consists in acquiringcontrol over the Operating System keeping it stable at the same time.
Since the Safe'n'Sec allows to load only those executable modules that were registered in the service
database in advance - new executable modules will fail to run. Those system components that were
modified by the malicious shell code will also fail to start. You will be notified about these failures.
There is no need to ask your permission to start any of the aforementioned modules since it is not you who
is responsible for the Operating System components integrity change.
6 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
When a new application starts install ing the protection system notifies you that an unregistered
application tries to launch:
Application launch. The application is allowed to start and load any additional executablemodules that miss the integrity check against the service database. Let's suppose such anapplication is a malicious one. In this case, it can even install additional components into theOperating System, sti l l , they will be allowed to execute ti l l the next time the Operating System isrestarted. Upon system restart they will be denied loading since they are not registered in theservice database.Application launch is prohibited. No comments.New application installation. In this case, the protection system registers in the service databaseall the new components the application installs. The application and its components are grantedrights to start.
By default, only those modules that reside on a hard drive are registered in the service database. Those
executable modules that are distributed as parts of application resources, archives, and the l ike will
not be initially registered. In order for such sort of applications to work properly the protection system
allows to start them in the Install mode, which is the same mode of operation of the Safe'n'Sec program
when a new application is installed. The Safe'n'Sec should activate the Install mode for a given
application only once in the application's l ife in order to register all the executable modules the
application might have in a form of embedded resources, archives, etc. Next launch of the application
may be controlled by the protection system in the normal mode without the need for you to perform
extra actions.
If during the protection system installation process a rootkit exists in the Operating System and this
rootkit is loaded after the Safe'n'Sec program loads at system startup the rootkit will fail to run, since
its hidden modules are unknown to the protection system and are not registered in the service
database.
1.3 System requirements
Operating Systems Hardware requirements
· Microsoft Windows 7 Home Bas ic x86/x64
· Microsoft Windows 7 Home Premium x86/x64
· Microsoft Windows 7 Profess ional x86/x64
· Microsoft Windows 7 Ul timate x86/x64
· Intel Pentium x86/x64, 800 MHz or compatible
· 512 Mb RAM or more
· At least 150 Mb of free disk space
· Microsoft Windows Vis ta Home Bas ic x86/x64 (SP1)
· Microsoft Windows Vis ta Home Premium x86/x64 (SP1)
· Microsoft Windows Vis ta Bus iness x86/x64 (SP1)
· Microsoft Windows Vis ta Ul timate x86/x64 (SP1)
· Intel Pentium x86/x64, 800 MHz or compatible
· 512 Mb RAM or more
· At least 150 Mb of free disk space
7Introduction
© 2010 S.N.Safe & Software Ltd.
· Microsoft Windows XP Home Edi tion (SP 3)
· Microsoft Windows XP Profess ional Edi tion (SP 3)
· Microsoft Windows XP Profess ional x64 Edi tion (SP3)
· Intel Pentium x86/x64, 300 MHz or compatible
· 256 Mb RAM or more
· At least 150 Mb of free disk space
2 Graphical User Interface
The Safe'n'Sec is known for its rather simple and handy interface. This chapter covers its base elements.
System tray icon
Contect menu
Control panel
2.1 System tray icon
As soon as the Safe'n'Sec finishes install ing onto user computer it displays its icon in the system tray.
The icon plays role of the program activity indicator. It displays status of the protection and a number
of state the protection system can be in:
- protection is activated;
- protection is deactivated;
- automatic program setup;
- protection is being updated;
- computer is being checked.
The icon also provides access to the main elements of the program's interface: context menu and the
control panel.
In order to activate the context menu, please, cl ick the program's icon with the right mouse button.
In order to activate the control panel, please, double click the program's icon with the left mouse
button.
2.2 Context menu
To open the context menu you should right click the program's icon. The menu contains items that
provide quick access to the controls and setup of the Safe'n'Sec:
Safe'n'Sec item allows you to open the program's main window the control panel.Settings item allows you to view and change program's parameters.Activity Policies item allows you to change application activity policies.Processes and applications item takes you to viewing and changing application parameters.
8 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Scan item allows you to start checking your computer for malicious objects.Update item starts the program's update process.Enable/disable protection item allows to change the state of the protection system.About item shows up the About box with information on the Safe'n'Sec.Show program icon item allows to toggle visibil ity of the program's icon in the notification area.Exit item allows to shut down the graphical user interface of the program. Note that the protectionmodule will sti l l be running.
2.3 Control panel
The control panel is the main window of the Safe'n'Sec program. It contains the following sections:
Status is responsible for managing parameters of the computer protection.Scan allows you both to scan your computer for malicious code and to manage scan settings.Update manages program updates process and its settings.License displays legal information regarding your l icense, program activation, and l icense scopeprolongation.Help and support section contains information about the version of the Safe'n'Sec and allows tosend an inquiry to the support service.
2.3.1 Protection status
The Status section displays the current status of the protection system:
Computer is protected assures you that all the protection regions are under control, and theprogram is stable.Partial protection indicates that at least one of the protection regions is out of control.Unprotected notifies you that the protection system is disabled altogether.
To change the protection status you should click the corresponding l ink with the left mouse button:
File system l ink toggles fi le system protection.System registry l ink toggles the system registry protection.Network l ink toggles protection of the network connections.
The lower part of the window contains base information about application activities and allows to
change settings of the application control:
Applications running displays the number of currently running processes.Trusted applications displays the number of trusted and well-known applications. The trustedapplication l ist is populated automatically at the phase of program automatic setup or manuallyby you.Controlled applications displays the number of application whose activities are controlled byapplication activity policies. The l ist is populated either automatically when an unknownapplications starts or manually by you.Applications blocked displays the number of applications that were blocked. A blocked applicationwill fail to start as long as Safe'n'Sec protection is enabled.Last incident show information about the last blocked application.Settings l inks to application activity control parameters.
9Graphical User Interface
© 2010 S.N.Safe & Software Ltd.
Actions
Enable protection1. Click the Settings l ink in the Status section of the Control panel.2. Disable the Enable checkbox for the program to stop controll ing its protection scopes.
or
Click the Change button in the Protection mode group and uncheck a checkbox corresponding to
that protection scope you no longer need to control.
Change policy rule1. Click the Settings l ink in the Status section of the Control panel.2. Click the Change button in the Application control policies group.
2.3.2 Scan
The Scan section displays information regarding the last malicious code search and allows to change
settings of the scan process:
Scan has not been performed indicates that scan for the malicious code has never been conducted.No threats found indicates that the last scan either did not reveal any malicious code or alldetected threats have been neutralized.Untreated threats exist indicates that during the last scan a number of malicious objects havebeen detected, but not all of them were neutralized. It is recommended to update the program andrescan it or manually neutralize the untouched threats using the detected threats l ist.Scan data is obsolete indicates that more than 5 days have passed since the last scan. It isrecommended to conduct a computer scan again.Scan is unavailable indicates that the program is not activated. In order to activate the program youshould provide a l icense key.Last scan displays detailed information about the last scan.Threat response specifies what the program should do in case a threat is detected:
Automatic specifies that an attempt should be made to treat the infected object detected ordelete it if treatment is not possible.Ask user when complete specifies that the program should ask you about what should be doneto the infected object when the scan completes.Ask user when detected specifies that the program should ask you to make a decision on whatshould be done to a malicious object each time such object is detected.
Settings al lows you to change scan settings.Quarantine shows you a l ist of objects moved to quarantine.
Actions
Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation
directory>\Reports folder and open a scan<scan date and time>.txt fi le.
10 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
2.3.3 Program update
The Update section displays information about the last program update and allows you to change
update settings:
Updates are out of date indicates that the update routine has never taken place or since the lastupdate more than 5 days have passed. It is recommended to update the program.Updates are up to date specifies that the program is up-to-date.Updates are unavailable specifies that the program is not activated or l icense key has expired. Inorder to perform program update you should provide a l icense key and activate the program orextend the l icense.Last search for updates displays detailed information about the last search for available updates.Updates installed displays details about the last updates installed.Startup mode specifies when the update routine starts:
Automatic specifies that the update routine should start automatically.On demand specifies that the update routine should start on demand.
Settings al lows you to change update settings.
Actions
Interrupt update1. Click the Stop update button in the Update section of the Control panel. The update process can
actually be stopped only at the phase when either updates are being downloaded or installed.2. To view the state of the update process click the More l ink.View update report1. Click the Installed updates l ink in the Update section of the Control panel.2. To view reports on previous updates you will have to navigate to the product installation
directory\Reports folder and open a update<update date and time>.txt fi le.
2.3.4 License
In the License section you are shown information about the l icense key:
Active license indicates that the program has been activated and is fully functional.License is about to expire indicates that the l icense will expire in less than 5 days.License has expired indicates that the l icense has expired and the program works now with l imitedfunctionality. It is recommended to extend or buy a new license.No license indicates that the program does not work. It is recommended to provide a l icense keyand activate the program.License type
Commercial license indicates that the scope of the l icense key is defined at the moment oflicense purchase or prolongation. When the key expires it is possible to extend it or buy a newlicense and reactivate the program.Trial license indicates that a free l icense key is installed. The scope of such a key is determinedby the l icense agreement for trial l icense keys. Upon license expiration it is impossible toreactivate the program.
License expiration date specifies the l icense key expiration date.License validity term (days) specifies the number of days the l icense key will be valid for.Protection components specifies those program modules that are activated with this particularlicense key:
11Graphical User Interface
© 2010 S.N.Safe & Software Ltd.
Safe'n'Sec Core (Core) is the base proactive protection component of the Safe'n'Sec.Safe'n'Sec Rootkit Detector (RD) is the base component responsible for rootkit detection.Anti-Virus (AV) is an extra component for detecting viruses, trojan programs and othermalicious objects.Anti-Spyware (AS) is an extra component responsible for detecting spy programs.
License terms specifies l imitations imposed upon license key expiration:Update indicates that program updating is disabled.Settings indicates that you cannot change program settings and activity policies.Scan indicates that you cannot scan your computer.
Read license agreement show license text.Buy license navigates you to the company's online store where you would be able to extend or buynew license key.
Actions
Activate program1. Provide the l icense key in the Number fi led and click the Activate button.2. In case Internet connection is available the program will automatically get activated
or
3. In case no Internet connection is available the program will suggest Manual activation option.4. You will be suggested to contact the Support service by phone and provide them with the serial
number and hardware code.5. Type the l icense key obtained from the Support service in the Number field and click the Activate
button.Extend license1. Click the Buy license button. You will be navigated to the company's online store.2. Choose an appropriate product in the store.
2.3.5 Help and support
In the Help and support section you are provided with the information you will be asked when
contacting with the Support:
Safe'n'Sec version.Safe'n'Sec update version.Version of your Operating System.
Actions
Contact Support1. To send a request to the Support service, establish Internet connection.2. Click the Send request to Support via E-Mail l ink to send your request by e-mail.3. Click the Send request to Support via web form l ink to send your request using an online web site
form.
12 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
3 Getting started
The Safe'n'Sec is optimally configured upon installation.
When first started a new profile wizard is automatically activated. The wizard helps automatically
setup the program.
It is l ikely that your computer might have been infected before the Safe'n'Sec is installed. You are
advised to perform a full computer scan to detect and treat existing malicious programs.
It is also recommended to perform antivirus bases and program update, for the antivirus bases might
have got out of date and bug fixes might have been introduced to the program itself.
As soon as the aforementioned steps are taken the program is ready to run.
3.1 Program activation
What functionality of the Safe'n'Sec you can use is determined by the l icense key you have. The key is
provided when you purchase the product and allows you to use the following components as soon as it
is installed:
Safe'n'Sec Core (Core) which is the base component of the Safe'n'Sec for executing proactiveprotection.Safe'n'Sec Rootkit Detector (RD) is the base component responsible for detecting rootkits.Anti-Virus (AV) is an extra component which searches for viruses, trojan programs and othermalicious program code.Anti-Spyware (AS) is an extra component for which aims at detecting spy programs.
The Safe'n'Sec will not work without a key, unless it is activated in trial mode.
Upon license key expiration the product remains fully functional except for you will be not able to
perform program update. You will sti l l be able to use protection components and perform scan, but
using the antivirus database you downloaded last when the l icense key was sti l l active. Therefore, we
provide no guarantee of 100% protection from those malicious programs that have emerged since the
date your l icense key has expired.
To avoid infecting your computer with new viruses you are recommended to extend you l icense key. A
week before it expires the program will start notifying you about this - upon each start of the program a
corresponding notification message will be displayed.
There are two ways you can activate the program:
Automatic activation - in this case you provide the serial number and the program automatically
13Getting started
© 2010 S.N.Safe & Software Ltd.
obtains a corresponding l icense key from one of the company's internet servers and activates itself.Manual activation - in this case you will be required to transfer the serial number and hardwarecode to the Support service by phone or e-mail, receiving a l icense key by phone or e-mail andmanual program activation.
A serial number consists of a sequence of digits separated by hyphens into a number of blocks
containing no spaces. Note that the serial number should be typed in English letters. In case you
purchased the program in a box the serial number will be printed on the setup disk envelope.
Actions
Activate program1. Provide the l icense key in the Number fi led and click the Activate button.2. In case Internet connection is available the program will automatically get activated
or
3. In case no Internet connection is available the program will suggest Manual activation option.4. You will be suggested to contact the Support service by phone and provide them with the serial
number and hardware code.5. Type the l icense key obtained from the Support service in the Number field and click the Activate
button.
3.2 Program update
The Safe'n'Sec program is supplied with antivirus and spy programs databases. These databases andthe program are updated on a regular basis including with each update new antivirus records andprogram bug fixes. However, it is l ikely that these databases and the program executable code are out-of-date already at the moment you install the program.
In order to keep protection level high you are advised to perform update of the program and thedatabases immediately after you install the program.
Actions
Start update1. Click the Start update button in the Update section of the Control panel.2. To view the state of the update process click the Details l ink.
3.3 Scan
Your computer is l ikely to be infected with malicious programs prior to install ing the Safe'n'Sec. You are
recommended to perform total computer scan to treat all the threats present.
14 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Actions
Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.
3.4 Create system profile
In order to ensure utmost computer protection the Safe'n'Sec creates a System profile at the first time it
starts. The profile al lows to:
Classify al l the applications installed into safe/known and potentially harmful/unknown.Execute unknown applications in a sandbox and automatically block their malicious activities.Make user interaction less required when deciding what to do with an application.
To create a System profile you have to take the following steps:
Update automatic setup components via the Internet. If Internet connection is unavailable thealready present components are used.Search and collect information about all executable fi les (exe, com, dll, etc.)Identify executable files by the following criteria:
An application is digitally signed.A corresponding record for an application exists in a Windows cat fi le.A corresponding record for an application exists in the white l ist of the Safe'n'Sec.
Define rules of application execution:Trusted or well-known application.Restricted application.Blocked application (execution is prohibited).
Scan application's files with the anti-virus module.
After the System profile is created, the program tracks new or unknown applications (those ones that
are not described in the System profile), blocks harmful actions and notifies you about their suspicious
activities.
NOTE
The process of creating the system profile can take long time depending on the amount of installed
software. It is recommended to minimize program's windows to Windows task bar and proceed with your
work.
IMPORTANT
Immediately after the program finishes its installation the protection system is switched off. You are
advised to perform initial setup of the program via creating the System profile. As soon the profile is
15Getting started
© 2010 S.N.Safe & Software Ltd.
created the program will automatically switch the protection on.
Actions
Cancel initial setup1. Click the Stop button in the Automatic setup window.2. The program will ask you to create a System profile later.
4 Protection
The major task of the Safe'n'Sec is to protect user data from yet unknown threats and vulnerabil ities.
The protection consists of:
Control which means the program tracks all the activities occur on computer: starting/stopping ofsystem services, execution of the software installed, user actions, etc.Analysis means the program analyzes sequences of actions of any application.Decision making which means the program decides whether an application harmfully misbehavestaking into account the results of the application's actions analysis.
What to control and how to analyze an application is determined by activity policies. Decision making
is based on information about what actions has an application performed and their sequence.
The result of the decision making process is fixed in a status assigned to a controlled application.
Following is a l ist of possible statuses:
Malicious application which means that what the application does may do harm to your data. Assoon as such an application is detected the Safe'n'Sec notifies you with detailed description ofactions the threat has performed.Safe marks an application as being not malicious. However, the Safe'n'Sec sti l l continuescontroll ing such an application.
The Safe'n'Sec comprises the following proactive protection components:
Application activity control.
Learning mode.
Application activity policy
Activity policy rules
Managing applications and processes
16 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
4.1 Activity control
You can find out whether activity control is enabled in the Status section. You are advised to never s top
activi ty control , for as soon as i t i s off the computer protection i s a lso s topped. The Safe'n'Sec controls
the fol lowing areas by defaul t
File system. This area encompasses actions regarding fi le creation, opening, changing and deletion.A malicious program can create fi les and execute them. One more goal of a malicious program is todelete or change system files, unauthorized access and theft of user's sensitive data. That is whysuch activities are under control fo the Safe'n'Sec.You are not recommended to switch controlling of this area off. The program contains a file systemcontrol policy and you can of course change it.
System registry. This area encompasses actions regarding to adding, deleting and changing ofsystem registry keys and values. A malicious program can change system registry keys to registeritself for automatic start upon the start of the Operating System, substitute other programs with itsown malicious modules, delete critical for system stabil ity registry keys, etc. Unauthorizedchanging of Windows settings and your programs may lead to overall system instabil ity.It is not recommended to switch control of this area off, especially when you explore the Internet. The
program has a system registry controlling policy and does not require extra tuning, however, should
need arise it is possible to change it.
Network. This area deals with actions regarding to establishing network connections, sending andreceiving data over the network. Many programs have to refer to data sources hosted on theInternet or local network to obtain necessary data for them to work or send certain data to suchsources. For instance, when an ICQ client starts it sends user login and password to the ICQ server.Malicious programs are able to steal and transfer your private data to their counterparts on theInternet, open unauthorized network connections in order to install and successfully run trojanprograms. Hackers explore your computer over the network to see if it has any actualvulnerabil ities and whether it is possible to perform network intrusion.You are advised to not switch control of this area off, especially when you are navigating the Internet
and do not use a firewall. The program has a network control policy and does not require further
tuning. However, you can change its settings of course.
IMPORTANT.
Network activities are controlled by firewalls. If a firewall is installed on the computer you are
recommended to switch network controlling off in order to avoid software conflicts between the firewall
and the Safe'n'Sec.
Devices. This area encompasses all the attachable devices via which malicious programs canpenetrate the computer.
Actions
Turn protection off
17Protection
© 2010 S.N.Safe & Software Ltd.
1. Open Program settings window and select the Activity control section.or
Click the Settings l ink in the Status section of the Control panel.
2. Uncheck the checkbox Enable in order to totally switch the protection off.or
Click the Settings button in the Protection mode group and uncheck a checkbox corresponding to
that protection area you no longer need to protect.
Change policy rule1. Click the Settings l ink in the Status section of the Control panel.2. Click the Change button in the Application control policies group.
4.2 Learning mode
The Safe'n'Sec controls application activities and application actions data for further analysis. After
the program is installed it uses the default database of well-known applications and associated
activity policies. The database is periodically update along with the program update. However, there
may be applications that are not known to the Safe'n'Sec and certain actions of such programs can be
treated by the program as potentially harmful. The learning mode aims at automatic analyzing of an
unknown application and establishing its activity control policy. An activity control policy is created
solely by the program itself without the need of any user interaction.
IMPORTANT.
The learning mode helps automatically setup the program to work with your applications. Before
enabling the learning mode you are recommended to perform full computer scan.
Actions
Start Learning mode
18 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
1. Open the Program settings window from the program's context menu and select the Activitycontrol section.or
Click the Settings l ink in the Status section of the Control panel.
2. Check the Learning mode checkbox.3. Click the Settings button in the Protection mode group and specify the number of days the mode
should be active in case you need to prolongate this phase. Default is 5 days.
NOTE
The Learning mode can have limited period of activity. If no unknown to the Safe'n'Secsoftware or no new activities of such software is detected for a certain period of time theSafe'n'Sec will automatically finish the Learning mode.
4.3 Control policy
Data protection is exercised according to an activity policy.
An activity policy represents a set of rules which determines what actions of an application are analyzed
and how this is done. Therefore, the rules are used to make a decision on whether an application is a
malicious one. It is the activity policy that determines what actions and what action sequences are to
be considered as harmful.
An activity rule is a set of conditions that enumerate an application's activities and actions that the
Safe'n'Sec takes when such activities occur. The conditions of an activity rule define a control scope
which specifies the objects under control, how the Safe'n'Sec treats these objects, the associated
application, etc.
The preventive technologies upon which the Application activity control is based allow to disarm an
unknown threat before it starts misbehaving. Opposed to the reactive technologies that use malicious
code signature database to detect harmful applications the proactive technologies take into
consideration sequences of actions of an application to bring a verdict. If an application's activity
sequence seems to be suspicious the Safe'n'Sec blocks such an application.
For the sake of an example let's consider a typical sequence of actions that characterizes a malicious
application. The Safe'n'Sec will certainly consider an application to be a threat if the application copies
an executable into the system folder, auto start folder, system registry and distributes its copies. In this
particular case the Safe'n'Sec will classify the application as a worm.
19Protection
© 2010 S.N.Safe & Software Ltd.
Harmful actions may also encompass:
actions typica l for trojan programs;
attempts to intercept keyboard input;
hidden driver insta l l ;
attempts to changing Operating System kernel ;
The Application activity control interface consists of:
Activity policies
Managing applications and processes
4.3.1 Activity policies
The Activity policies section of the Policy rules window contains information about general rules
imposed on all applications when resource (fi les, folder, system registry, etc.) or device access is
detected. These rules are grouped into Common rules:
File system.System Registry.Network.Process privileges.Devices.
A default set of rules is shipped with the program. The set is developed by the company's experts as a
result of analyzing malicious code behaviour.
Actions
Block access to fi le object1. Switch to Common rules section in the Application control policy window.2. Select the File system protection scope from the drop-down list.3. Select a fi le system object in the tree and
Check the Read checkbox in order to protect the fi le from reading by applications. This willautomatically block changing and deletion of the fi le.Check the Change checkbox to protect the fi le object from creation and altering by applications.Check the Delete checkbox to protect the fi le object from being deleted.
4. A folder can have nested fi le system objects - other folders and fi les. Click the Yes button in thePropagate dialogue to propagate the specified restrictions onto all the nested objects of thecurrent one.
5. Click the Apply button to make the changes to the policy active.Block access to a System Registry object1. Switch to the Common rules section in the Application control policy window.2. Select the System Registry protection scope from the drop-down list.3. Select a System Registry object in the tree and
Check the Read checkbox to protect the specified object from reading. This will alsoautomatically protect the object from changing and deletion.Check the Change checkbox to protect the object from creation or changing.
20 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Check the Delete checkbox to protect the object from being deleted.4. A System Registry key can have nested objects such as other keys or values. Click the Yes button in
the Propagate dialogue to propagate the specified rules onto all the nested objects5. Click the Apply button to bring the changes to the policy you have just made into action.Create a Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network protection scope from the drop-down list.3. Click the Add button.4. Supply a name of the network rule into the Name field.5. Specify the direction of data transfer from the Direction drop-down list. The default value is
Inbound/Outbound.6. Specify the network protocol from the Protocol drop-down list. The default value is TCP/UDP.7. Define the Local IP address or an address range in the appropriate fields. The default value is Any
address.8. Define the Remote IP address or an address range in the appropriate fields. The default value is
Any address.9. Click the OK button to save the rule.10.
In the l ist of network rules check the Block checkbox next to the rule created to blockcommunication of the specified network resource.
Change Network rule1. Switch to the Common rules section in the Application control policy window.2. Specify the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Edit button.Remove Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Delete button. The program will delete the rule and allow communication with the
specified network resource.or
5. Uncheck the Block checkbox next to the rule. The program will allow communication with thespecified network resource.
Block all network activities1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select the Any network activity network rule from the l ist and check the Block checkbox next to it.Deny using USB device1. Switch to the Common rules section in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices from the l ist and check the Read checkbox.4. Click the Apply button for the changes you have made come into action.Deny access to fi les on a USB device1. Switch to the Common rules in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices item in the l ist and:
Check the Read checkbox for the program to block read fi le object operations on all USB devices.Check the Edit checkbox for the program to block create and change fi le object operations on allUSB devices.Check the Delete checkbox for the program to block delete fi le object operations on all USBdevices.
4. Click the Apply button to apply the changes you have made.Hide unrestricted resources1. Switch to the Common rules section in the Application control policy window.2. Uncheck the Show objects without access restrictions checkbox.
21Protection
© 2010 S.N.Safe & Software Ltd.
4.3.1.1 File system
The File system scope encompasses those access rules that deal with fi le system objects:
Reading of a fi le or a folder.Creating and Changing of a fi le or a folder.Deleting of a fi le or a folder.
Actions
Deny access to fi le system object1. Switch to the Common rules section in the Application control policy window.2. Select the File system scope from the drop-down list.3. Select a fi le system object in the object tree and:
Check the Read checkbox in order for the Safe'n'Sec to deny applications reading of the fi lesystem object. Denying reading blocks changing and deleting of the object as well.Check the Change checkbox for the program to deny creation or changing of the fi le object.Check the Delete checkbox for the program to block deletion of the fi le object.
4. A folder can have other nested fi le system objects such as other folders and fi les. Click the Yesbutton in the Propagate dialogue in order to propagate the specified restrictions onto all thenested objects of the current one.
5. Click the Apply button to apply changes.
4.3.1.2 System Registry
The System Registry protection scope allows you to create rules controll ing access to the Microsoft
Windows System Registry:
Reading of keys and values.Creating of keys and values.Deleting of keys and values.
Actions
Deny access to System Registry object1. Switch to the Common rules section in the Application control policy window.2. Select the System Registry protection scope from the drop-down list.3. Select a System Registry object in the tree and
Check the Read checkbox to protect the specified object from reading. This will alsoautomatically protect the object from changing and deletion.Check the Change checkbox to protect the object from creation or changing.Check the Delete checkbox to protect the object from being deleted.
4. A System Registry key can have nested objects such as other keys or values. Click the Yes button inthe Propagate dialogue to propagate the specified rules onto all the nested objects
5. Click the Apply button to bring the changes to the policy you have just made into action.
22 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
4.3.1.3 Network
The Network protection scope allows you to create access rules in regard to network resources:
Creating network connections.Transferring data to a remote computer.Receiving data from a remote computer.
A network rule comprises the following information:
Name specifies the name of the rule.Direction - specifies the direction of a network connection from the point of view of the connectionoriginator:
Inbound – indicates that the connection has been initiated by the remote counterpart.Outbound – indicates that the connection has been initiated by the local computer.Inbound/Outbound - encompasses both directions.
Protocol - specifies the name of the protocol used to establish the connection:TCPUDPTCP/UDP - either of these two.
Local address - specifies the IP address or a range of IP addresses of the local computer. The *.*mask identifies any available local network address.Remote address - specifies an IP address or a range of IP addresses of the remote computer. The *.* mask identifies any remote network address.
Actions
Create a Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network protection scope from the drop-down list.3. Click the Add button.4. Supply a name of the network rule into the Name field.5. Specify the direction of data transfer from the Direction drop-down list. The default value is
Inbound/Outbound.6. Specify the network protocol from the Protocol drop-down list. The default value is TCP/UDP.7. Define the Local IP address or an address range in the appropriate fields. The default value is Any
address.8. Define the Remote IP address or an address range in the appropriate fields. The default value is
Any address.9. Click the OK button to save the rule.10.
In the l ist of network rules check the Block checkbox next to the rule created to blockcommunication of the specified network resource.
Change Network rule1. Switch to the Common rules section in the Application control policy window.2. Specify the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Edit button.Delete network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network from the drop-down list.3. Select a network rule from the l ist.
23Protection
© 2010 S.N.Safe & Software Ltd.
4. Click the Delete button to delete the rule. The Safe'n'Sec will start allowing connections with theremote resource specified in the rule deleted.or
5. Uncheck the Deny checkbox next to the rule selected. The Safe'n'Sec will start allowingconnections with the remote resource specified in the rule deleted.
Block all network activities1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select the Any network activity network rule from the l ist and check the Block checkbox next to it.
4.3.1.4 Devices
The Devices protection scope allows to create rules that control access to certain devices:
Reading fi le resources from USB devices.Creating and Changing fi le resources on USB devices.Deleting fi le resources on USB devices.
Actions
Deny using USB device1. Switch to the Common rules section in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices from the l ist and check the Read checkbox.4. Click the Apply button for the changes you have made come into action.Deny access to fi les on a USB device1. Switch to the Common rules in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices item in the l ist and:
Check the Read checkbox for the program to block read fi le object operations on all USB devices.Check the Edit checkbox for the program to block create and change fi le object operations on allUSB devices.Check the Delete checkbox for the program to block delete fi le object operations on all USBdevices.
4. Click the Apply button to apply the changes you have made.
4.3.2 Processes and applications
The Processes and applications section in the Application control policy window contains information
about all the applications on the computer:
Internal name - specifies the name of an application (read from the version info of an application)or name of a fi le.Status - specifies the status of an application:
Running - indicates that the application is currently executing.Grayed - indicates that the application is currently not running.
Restrictions - specifies a set of restrictions imposed on the application.
24 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Custom - specifies that the application is a Trusted or Well-known one. The application iscontrolled by Custom restrictions only.Common or Custom - specifies that the application is under control of Common and Customrestrictions.Execution blocked - specifies that the application is blocked by the Safe'n'Sec.
Company - determines the producer of the application (read from the version info of theapplication).Product name - determines the name of the application (read from the version info of theapplication)Delete on restart - indicates that the application must be deleted the next time the OperatingSystem restarts. This approach is used to delete malicious programs that when running activelyprotect themselves from being deleted. The property is not displayed by default.
When an application first starts the Safe'n'Sec registers it in its service database and automatically
assigns restrictions:
Custom restrictions are assigned to Well-known or Trusted applications. Well-known applicationsare identified by a trusted digital signature and a corresponding record in Windows catalogue fi les(this is a common practice for all Windows system applications) and by "white l ists" managed bythe Safe'n'Sec. Trusted applications are those that are manually marked to be considered trusted byyou.Common and Custom restrictions are assigned to Unknown applications. An Unknown applicationis that which is installed on the computer after the Safe'n'Sec was installed. The Safe'n'Sec detectsinstallation of new software and suggest to mark the application as well-known if the installationprocess was initiated by you and originated from a trusted source.
Actions
Block application execution1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and from the context menu select the Block execution
item.
IMPORTANT
Please, be careful denying execution of an application. If you deny execution of a system service or
process it may lead to Windows inoperability.
Register new application1. Switch to the Processes and applications section in the Application control policy window.2. Click the Add button and specify an application in the Open file dialogue. By default the
application will be assigned Common and Custom restrictions.Mark application as Trusted1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and from the context menu select the Trust item.Change application properties1. Open the Program settings window from the program's context menu and select the Activity
control section.2. Click the Settings button in the Application control policies group.3. In the window opened select the Applications tab.4. Specify an application in the l ist and click the Properties l ink.
or
5. Click the Registered applications l ink in the Status section of the Control panel.
25Protection
© 2010 S.N.Safe & Software Ltd.
6. Specify an application in the l ist and click the Properties l ink.Remove from Trusted1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications and from the context menu select the Remove from Trusted
item.Unregister application1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and click the Delete l ink.Delete application upon restart1. Switch to the Processes and applications section in the Application control policy window.2. Make the Delete on restart column visible in the l ist settings window.3. Specify required application in the l ist and from the context menu select the Delete on restart
item.Terminate application1. Switch to the Processes and applications section in the Application control policy window.2. Specify the application in the l ist and click the Terminate l ink.
IMPORTANT
Please, be careful specifying applications for termination. Terminating system processes may lead to
Windows restart.
4.3.3 Application properties
This chapter considers application properties:
Common
History
Restrictions
Actions
Change rules1. Switch to the Processes and applications section in the Application control policy window.2. Select an application from the l ist and click the Properties l ink.3. In the Common section click the Rules l ink and
Remove from Trusted to force the Safe'n'Sec assign Common and Custom rules to theapplication.Trust to tell the Safe'n'Sec to assign Custom rules to the application.Block application to block the application from running.
Anti-virus scan1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application in the l ist and click the Properties l ink.3. Click the Scan.
Enable activity log1. Switch to the Processes and applications section in the Application control policy window.
26 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
2. Specify an application from the l ist and click the Properties l ink.3. Check the Log application activities checkbox in the Log section of the Application properties
window.4. Check the Create backup copies for recovery checkbox to instruct the Safe'n'Sec to create backup
copies of all the fi le system and System Registry objects it alters or deletes.Recover changed objects1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.3. Specify one or more fi les or System Registry objects from the activity log in the Log section of the
Application properties window.4. Click the Recover button.
4.3.3.1 Common properties
The Common section of the Application properties window contains information about application's
fi le and restrictions assigned:
Path - specifies the full path to the executable fi le of the application.Size - specifies the size of the fi le in bytes.Created - specifies the date and time when the fi le was created.Changed - specifies the date and time when the fi le has last been changed.Description - provides description text from the fi le's version info.Application - provides product's description (read from the version info of the fi le).Company - specifies the name of the company produced the application (read from the version infoof the fi le).Rules - defines restrictions assigned to the application:
Custom - identifies either a Trusted or Well-known application. Custom restrictions only are ineffect.Common and custom - identifies an application with l imited functionality. Common andCustom restrictions are in effect.Execution blocked - indicates that the application is blocked from executing.User assigned - specifies that restrictions were manually assigned by you.Automatically assigned - specifies that restrictions were assigned by the Safe'n'Secautomatically according to the results from automatic setup.
Identification - specifies the identity of the application according to the following criteria:Certificate - whether the application has a trusted certificate (digital signature).Catalogue file - whether the application has an associated record in a Windows catalogue fi le(cat fi le).Safe'n'Sec database - indicates whether the application has an associated record in the "whitelist" of the Safe'n'Sec.<no data> - indicates that the application has not been identified.
Scan results - contains information about anti-virus scan of the application.
Actions
Change restrictions
27Protection
© 2010 S.N.Safe & Software Ltd.
1. Switch to the Processes and applications section in the Application control policy window.2. Select an application from the l ist and click the Properties l ink.3. In the Common section of the Rule conditions group click the Restrictions l ink and
Remove from Trusted to force the Safe'n'Sec assign Common and Custom restrictions to theapplication.Trust to tell the Safe'n'Sec to assign Custom restrictions to the application.Block execution to block the application from running.
Anti-virus scan1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application in the l ist and click the Properties l ink.3. Click the Scan.
4.3.3.2 Activity log
The Log section in the Application properties window contains information about application activities
in regard to fi le resource and System Registry access:
Time - specifies the date and time of an event.Event - contains description of the event:
Start - specifies when the application has started.Stopped - specifies when the application stopped.Read - indicates that the application has performed reading of a fi le or a System Registry object.Change - indicates that the application has created or changed a fi le or a System Registry object.The objects changed can be restored.Delete - indicates that the application has deleted a fi le or a System Registry object. The objectsdeleted can be restored.
Object - specifies the name of the fi le or System Registry object.Result - specifies the result of restoring of a changed object:
Restored - indicates that the object has successfully been restored.Recovery error - indicates that the object cannot be restored.
The Safe'n'Sec stores backup copies of modified objects in the <Safe'n'Sec installation directory>\History
folder.
Actions
Enable activity log1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.3. Check the Log application activities checkbox in the Log section of the Application properties
window.4. Check the Create backup copies for recovery checkbox to instruct the Safe'n'Sec to create backup
copies of all the fi le system and System Registry objects it alters or deletes.Restore changed objects1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.
28 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
3. Specify one or more fi les or System Registry objects from the activity log in the Log section of theApplication properties window.
4. Click the Recover button.
4.3.3.3 Custom rules
The Rules section in the Application properties window contains information about Custom rules that
control an application when it accesses computer resources and devices. These rules are grouped into
the following:
File system.System Registry.Network.Process privileges.Devices.
Custom rules take precedence over Common ones. It is the Custom rules that are evaluated first. The
Safe'n'Sec may be shipped with a predefined set of rules established by the company's experts as a
result of examining behaviour of the given application. The process of changing Custom rules for an
application is exactly the same as the process of common ones changing.
4.4 Notifications
The Safe'n'Sec controls all activities of all the applications installed on the computer and notifies the
user about each violation of a control policy or an unknown application start.
This chapter dwells upon notifications of the Safe'n'Sec:
Unknown application launch
Policy violation
Actions
Install new software1. Launch the setup program of a new application.2. In the Notification window popped up by the Safe'n'Sec click the Details l ink.3. Check the Install new program checkbox and click the Execute button.Enable/Disable an activity for session
29Protection
© 2010 S.N.Safe & Software Ltd.
1. In the Notification window click the Details l ink.2. Check the In this session checkbox in the appropriate group and click the Enable or Disable button.
The Safe'n'Sec will enable or disable the activity specified for as long as the current applicationsession.
For instance: an application tries to change a system file located within Windows system folder. The
Safe'n'Sec will notify you about an attempt to the this file only once and if you choose to disable the
activity all the subsequent attempts to change system files will be blocked. Next time when the
application tries to again change a system file the Safe'n'Sec will again notify you about such an
attempt.
Enable/Disable activity as a rule1. In the Notification window click the Details l ink.2. Check the Remember checkbox in the appropriate group and click either Enable or Disable button.
The Safe'n'Sec will remember your choice.
For instance: if an application tries to change a system file in the Windows system folder the
Safe'n'Sec will notify you about such an attempt. If you choose to block such an action and specify to
Remember your choice the Safe'n'Sec will never ever let the application change system files in Window
system folder without even popping up the Notification window.
4.4.1 Unknown application launch
When an unknown application tries to launch the Safe'n'Sec notifies the user and asks to make a
decision on whether the application should be allowed to start. The Notification window comprises two
parts:
Application description. This block contains information about the application: its name, producercompany, path.Action. Specifies what to do with the application:
Run - specifies that the application should be allowed to start. If you know for sure the source ofthe application is trusted you are recommended to allow it to start.Block - specifies that the application should be blocked. You are advised to choose this action ifthe application has come from an intrusted source or it is not you who initiated its launch.
NOTICE
If you fail to make a decision on whether the application should be allowed to start in 5 minutes the
Safe'n'Sec will block the application and close the Notification window.
Actions
30 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Install new software1. Launch the setup program of a new application.2. In the Notification window popped up by the Safe'n'Sec click the Details l ink.3. Check the Install new program checkbox and click the Execute button.
4.4.2 Policy violation
When an activity policy is violated the Safe'n'Sec notifies the user about this fact. In most cases the
program requires no user interaction to block suspicious activity. The Notification window comprises
three sections:
Caption. It contains concise description of the event occurred, for instance: protected fi le beingchanged, network connection is being established, etc.Application and object description. This section contains information about an application (itsname, producer, path) and an object (fi le name, System Registry path, etc.).Action. Allows to specify which action to be taken by the Safe'n'Sec:
Allow - indicates that application's activity should be allowed. It is recommended to choose thisaction when dealing with well-known or trusted applications.Block - indicates that application's activity should be blocked. You are recommended to choosethis action whenever dealing with an application that is of unknown origin or it is not you whohas launched the application.
NOTE
If you fail to make a decision on what action should be taken in response to the Notification window
the Safe'n'Sec will block activities of the caused application and close the window.
Actions
Enable/Disable an activity for session1. In the Notification window click the Details l ink.2. Check the In this session checkbox in the appropriate group and click the Enable or Disable button.
The Safe'n'Sec will enable or disable the activity specified for as long as the current applicationsession.
For instance: an application tries to change a system file located within Windows system folder. The
Safe'n'Sec will notify you about an attempt to the this file only once and if you choose to disable the
activity all the subsequent attempts to change system files will be blocked. Next time when the
application tries to again change a system file the Safe'n'Sec will again notify you about such an
attempt.
Enable/Disable activity as a rule1. In the Notification window click the Details l ink.2. Check the Remember checkbox in the appropriate group and click either Enable or Disable button.
The Safe'n'Sec will remember your choice.
For instance: if an application tries to change a system file in the Windows system folder the
31Protection
© 2010 S.N.Safe & Software Ltd.
Safe'n'Sec will notify you about such an attempt. If you choose to block such an action and specify to
Remember your choice the Safe'n'Sec will never ever let the application change system files in Window
system folder without even popping up the Notification window.
5 Scan
Computer scanning aims at detecting malicious code and is base on:
Anti-virus databases - the databases contain signatures of known viruses, trojan programs andother malicious objects.Spyware databases - these databases contain signatures of known spy-programs.The Rootkit Detector component is used to search for hidden objects (rootkits). A rootkit is aprogram or a set of programs that are used to hide malicious activities and artifacts of an intruderor a harmful program in the Operating System. A rootkit injects itself into Operating System anddisguises its existence and existence of processes, folders, System Registry keys belonging to othermalicious programs described in rootkit's configuration fi le.
The Safe'n'Sec compares the object it scans against records in its databases and if a match is found it
marks the object as malicious. This is a signature-based analysis. In order to detect hidden resources
all the processes running and system hooks are checked.
In order to perform a scan it is necessary to:
Include objects for scanning into the protection scope. Any object from the following l ist can bescanned: fi le system objects (logical drives and fi les), system memory, bootable sectors, etc. Bydefault all the objects are included into the scope.According to scan results it is required to make a decision regarding the threats found, if they havenot been neutralized.
It is recommended to perform scan
immediately after the Safe'n'Sec is installed onto the computer, provided that no other anti-virussoftware were previously installed.each time when application activity control is disabled and external storage (USB, CD, DVD, etc)were used or Internet connection has been established.
NOTICE
In order to be able to use anti-virus and spy databases an appropriate license is required.
IMPORTANT
For the Safe'n'Sec to be effective at malicious code search it is required to perform daily updates of its
anti-virus and spy databases. It is recommended to setup Daily automatic update.
32 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Actions
Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.Stop scan1. Click the Stop scan button in the Scan section of the Control panel. Note that when scan is just
initializing it cannot be stopped.2. To examine the state of the scan click the Details l ink.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation
directory>\Reports folder and open a scan<scan date and time>.txt fi le.
Manually treat threats1. Open the Program properties window from the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Ask upon completion checkbox in order for the program to display a l ist of threatsfound as soon as a scan completes.or
3. Check the Ask action checkbox to instruct the Safe'n'Sec to ask you what to do each time a threat isfound.
4. Start scan.Scan all fi les/search for unknown threats1. Open the Program properties window from the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the All files and Use heuristic analyzer checkboxes.3. Start scan.
Scan archives and e-mail databases1. Open the Program properties window form the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Archives and E-Mail databases checkboxes.3. Start scan.
Search for rootkits1. Open the Program settings window from the program's context menu and select the Scan section.
or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Search for hidden resources checkbox.3. Start scan.
33Scan
© 2010 S.N.Safe & Software Ltd.
5.1 Objects
You can specify the following objects to be scanned:
System memory - specifies scanning of all running processes.It is recommended to perform system memory scan each time daily and when new processes not started
by you appear.
Bootable sectors - specifies canning of disc bootable sectors.Objects in quarantine - specifies that objects moved to quarantine should be scanned.It is recommended to rescan objects on quarantine each time after a program update completes.
All removable drives - specifies that all fi le system objects on all removable drives are to be scanned.It is recommended to perform scan of removable drives each time when you plan to read or write files
from or to such drives or run a program from a removable media.
All hard drives - specifies all the fi le system objects on all hard drives.My computer - specifies that all fi le system objects on the computer are to be scanned.Trash - specifies that all deleted fi le system objects are to be scanned.My documents - specifies that your documents are to be scanned.Desktop - specifies that all fi le system objects residing on the desktop are to be scanned.
Actions
Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.
5.2 Scan results
When a malicious object is detected the Safe'n'Sec determines its type (a virus, a trojan program, a spy
program, etc.) and treats it in one of the following manners:
Treats or Deletes the infected object if treatment is impossible.Postpones treatment of the objects detected until the scan completes. The Safe'n'Sec will notify youwith the l ist of detected threats upon scan completion and will ask you to treat them manually.Asks action each time a threat is detected:
Treat - means that the Safe'n'Sec will try to treat the threat or delete it if treatment is notpossible, or terminate a malicious process.It is recommended to perform this action when your data or your program has been modified by a
malicious program.
Delete - means to delete an infected fi le or terminate a malicious process.It is recommended to perform this action when a malicious program (virus, trojan, spy program, etc.)
has been detected.
Move to quarantine - instructs the Safe'n'Sec to move an infected object to a special folder andblock it from execution.
34 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
This action is recommended whenever you suspect the Safe'n'Sec has found a malicious object.
Skip - tells the Safe'n'Sec not to take any steps to treat the object.
Actions
View threats found1. A l ist of all the threats detected is available only after a scan completes and contains log of all
the objects found since the Safe'n'Sec was installed.2. Click the Detected l ink in the Scan section of the Control panel.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation
directory>\Reports folder and open a scan<scan date and time>.txt fi le.
Change action on threat found1. Open the Program settings window from the context menu and select the Scan section.
or
Click the Settings l ink in the Scan section of the Control panel.
2. Check an appropriate checkbox in the Action group.
5.3 Threats detected
The Detected threats l ist contains information about malicious objects found supplied with actions
taken on such objects:
Date - specifies the date and time when a malicious object was found.Object - specifies the name of the object and its path:
File name.Process name in memory.Bootable sector.
Path - specifies the full path to the object.Detected - specifies the name of the malicious object.Status - indicates the status of the object:
Detected - indicates that a malicious object is detected.Treated - indicates that the malicious object has been disinfected.Deleted - indicates that the malicious object has been deleted.Moved to quarantine - indicates that the malicious object has been moved to quarantine folder.Cannot be treated - indicates that the object cannot be treated.It is recommended to try to delete the object.
Cannot be deleted - indicates that an error has occurred at an attempt to delete the object.
In such a case it is recommended to terminate the process and block the object.
Cannot move to quarantine - indicates that an error occurred when the Safe'n'Sec tried to movethe object to quarantine folder.
In such a case it is recommended to terminate the process and block the object.
35Scan
© 2010 S.N.Safe & Software Ltd.
Treat - means to treat the object.Delete - means to delete the malicious objects.Move to quarantine - means to move the malicious objects to a special quarantine folder.
NOTICE
The list of threats found is available only after a scan completes. The list contains the entire history about
all the threats detected from the moment the Safe'n'Sec was installed.
Actions
Manually treat threats1. Open the Program properties window from the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Ask upon completion checkbox in order for the program to display a l ist of threatsfound as soon as a scan completes.or
3. Check the Ask action checkbox to instruct the Safe'n'Sec to ask you what to do each time a threat isfound.
4. Start scan.Send detected threats to Support for analysis1. Select objects in the Threats found l ist.2. Select the Send command from the l ist's context menu. The Safe'n'Sec will create an e-mail with
the information required by the company's Support service and open it in the default e-mailclient.
3. Post the e-mail.Obtain information about the object detected1. Select objects in the Threats found l ist.2. Select the Info <object name> command form the l ist's context menu. The Safe'n'Sec will popup the
default web browser with the l ist of resources containing information about the object displayed.3. Select the Open file's folder item from the l ist's context menu to search for the fi le on the
computer.
6 Program update
During the update process the Safe'n'Sec checks for new update, calculates their amount, download and
install them:
Program modules updates improve functionality of the Safe'n'Sec and add new, introduce bug fixes.Anti-virus databases updates add new records to the anti-virus signature databases of theSafe'n'Sec. These databases are used by the program when it scans the computer.Spy programs databases updates add new records to the spy programs databases of the Safe'n'Sec.Application control policies updates bring new activity rules.
36 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
What kind of updates are available to you is determined by the l icense you have that describes whichcomponents are available.
For instance, if the license includes the Safe'n'Sec Core only the update process will not check for anti-virusand spy databases updates and therefore these databases will not be installed onto the computer.
IMPORTANT
The Safe'n'Sec uses special company's update servers. For an update to succeed an Internet connection is
required. By default Internet connection parameters are detected automatically. If you connect to the
Internet via a proxy server and the Safe'n'Sec is unable to automatically detect proxy's settings, please,
do set up network connection parameters.
NOTE
Certain updates of program modules may require system restart.
Actions
Start update1. Click the Start update button in the Update section of the Control panel.2. To view the state of the update process click the Details l ink.
Interrupt update1. Click the Stop update button in the Update section of the Control panel. The update process can
actually be stopped only at the phase when either updates are being downloaded or installed.2. To view the state of the update process click the More l ink.View update report1. Click the Installed updates l ink in the Update section of the Control panel.2. To view reports on previous updates you will have to navigate to the product installation
directory\Reports folder and open a update<update date and time>.txt fi le.Setup network connection1. Open the Program settings window from the context menu and select the Update section.
or
Click the Settings l ink in the Update section of the Control panel.
2. Check the Use proxy server checkbox.3. Provide the IP address or DNS name of the proxy server and its port (defaults to 80) in the
corresponding fields.4. Check the Use proxy server authorization checkbox if authorization is required. Provide user name
and password in the corresponding fields.Setup automatic update1. Open the Program settings window from the program's context menu and select the Update
section.or
Click the Settings l ink in the Update section in the Control panel.
2. Check the Update automatically checkbox.3. Check the Ask for confirmation checkbox in order for the program to ask you a permission to start
update process and you will be able to disallow an update.4. Specify how often should the program update itself in the Check for updates l ist. If you use Anti-
Virus or Anti-Spyware components you are recommended to specify Daily updates.
37Program update
© 2010 S.N.Safe & Software Ltd.
5. The Next update field will show the time when the program will next update itself.
7 Settings
The Settings window provides you with quick l inks to the main settings of the Safe'n'Sec and contains
the following sections:
Activity control al lows you to specify settings of application activity control, learing mode andactivity policies.Scan al lows you to change settings of malicious code search.Updates al lows to modify settings of program's updates.Interface al lows you to customize program's interface, set password protection and specify regionallanguage.Reports al lows you to customize how reports are formed.Notifications helps tuning the notification system.Restore deals with settings regarding saving and restoring program's settings.
The program's settings are also reachable from corresponding sections of the Control panel and context
menu of the program.
Actions
Restore program's settings1. Open the Program settings window from the program's context menu.2. Click the Default button in order to restore only the default settings.or
1. Open the Program settings from the program's context menu and select the Settings restore.2. Specify the date of the settings backup and click the Restore button.
7.1 Activity control
When the Safe'n'Sec is installed the following control parameters are set:
Protection mode: Enabled.File system: Enabled.System Registry: Enabled.Network: Enabled.
Learning mode: Enabled.Learning mode will finish if no new activity for: 1 day.
38 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
Actions
Stop protection1. Open the Program settings window from the program's context menu and select the Activity
control section.or
Click the Settings l ink in the Status section of the Control panel.
2. Uncheck the Enable checkbox to in order for the program to stop protecting all Common rules.or
Click the Setup button in the Protection mode group and uncheck a checkbox of a protection
scope to tell the program stop controll ing this particular type of application activities.
Start Learning mode1. Open the Program settings window from the program's context menu and select the Activity
control section.or
Click the Settings l ink in the Status section of the Control panel.
2. Check the Learning mode checkbox.3. Click the Settings button in the Protection mode group and specify the number of days the mode
should be active in case you need to prolongate this phase. Default is 5 days.
NOTE
The Learning mode can have limited period of activity. If no unknown to the Safe'n'Secsoftware or no new activities of such software is detected for a certain period of time theSafe'n'Sec will automatically finish the Learning mode.
Change application control policy1. Open the Program settings window from the program's context menu and select the Activity
control section.or
Click the Settings l ink in the Status section of the Control panel.
2. Click the Settings button in the Application control policies group.
Change application properties1. Open the Program settings window from the program's context menu and select the Activity
control section.2. Click the Settings button in the Application control policies group.3. In the window opened select the Applications tab.4. Specify an application in the l ist and click the Properties l ink.
or
5. Click the Registered applications l ink in the Status section of the Control panel.6. Specify an application in the l ist and click the Properties l ink.
39Settings
© 2010 S.N.Safe & Software Ltd.
7.2 Scan
When the Safe'n'Sec is installed the following scan parameters are set:
Action: Disinfect, Delete if disinfection fails.Scan files: executable fi les only.Compound objects scan: DisabledScan method: Disabled.
Actions
Manually treat threats1. Open the Program properties window from the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Ask upon completion checkbox in order for the program to display a l ist of threatsfound as soon as a scan completes.or
3. Check the Ask action checkbox to instruct the Safe'n'Sec to ask you what to do each time a threat isfound.
4. Start scan.Scan all fi les/search for unknown threats1. Open the Program properties window from the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the All files and Use heuristic analyzer checkboxes.3. Start scan.
Scan archives and e-mail databases1. Open the Program properties window form the program's context menu and select the Scan
section.or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Archives and E-Mail databases checkboxes.3. Start scan.
Search for rootkits1. Open the Program settings window from the program's context menu and select the Scan section.
or
Click the Settings l ink in the Scan section of the Control panel.
2. Check the Search for hidden resources checkbox.3. Start scan.
40 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
7.3 Updates
When the Safe'n'Sec is installed the following properties of the update process are defined:
Automatic update: Disabled.Prompt for confirmation prior to updating: Disabled.Check for updates:
daily - used by the Safe'n'Sec Core (Core) component.monthly - used by Anti-Virus (AV) or Anti-Spyware (AS) components.
Use proxy server: Disabled. Internet connection properties are copied from the default web browserinstalled on the computer, for instance - from the Microsoft Internet Explorer.
Actions
Setup network connection1. Open the Program settings window from the context menu and select the Update section.
or
Click the Settings l ink in the Update section of the Control panel.
2. Check the Use proxy server checkbox.3. Provide the IP address or DNS name of the proxy server and its port (defaults to 80) in the
corresponding fields.4. Check the Use proxy server authorization checkbox if authorization is required. Provide user name
and password in the corresponding fields.Setup automatic update1. Open the Program settings window from the program's context menu and select the Update
section.or
Click the Settings l ink in the Update section in the Control panel.
2. Check the Update automatically checkbox.3. Check the Ask for confirmation checkbox in order for the program to ask you a permission to start
update process and you will be able to disallow an update.4. Specify how often should the program update itself in the Check for updates l ist. If you use Anti-
Virus or Anti-Spyware components you are recommended to specify Daily updates.5. The Next update field will show the time when the program will next update itself.
7.4 Interface
When the Safe'n'Sec is installed the following properties of its interface are defined:
Show icon in tray: On.Enabled sounds: On.Protect settings with password: Disabled.
Actions
Disable tray icon
41Settings
© 2010 S.N.Safe & Software Ltd.
1. Open the Program settings window from the program's context menu and select the Interfacesection.
2. Uncheck the Show tray icon checkbox.Disable sounds1. Open the Program settings window from the program's context menu and select the Interface
section.2. Uncheck the Use sounds checkbox.Password protect settings1. Open the Program settings window from the program's context menu and select the Interface
section.2. Check the Protect with password checkbox and provide password in the corresponding field.
IMPORTANT
It is not possible to recover your lost password. If you forget your password you will not be able to
change program settings and will have to reinstall the Safe'n'Sec.
7.5 Reports
When the Safe'n'Sec is installed the following properties of reports are defined:
Create reports: All.Time to keep reports: 5 days.
The program prepares the following types of reports:
System report contains data about the program's execution, exceptions, warnings about activitypolicy violation. A text fi le with the name system_date_time.txt template is created each time theprogram starts.Updates contains data regarding the update process. A text fi le with the name update_date_time.txttemplate is created each time an update process starts.Scan report contains data regarding the scanning process. A text fi le with the name scan_date_time.txt is created each time a scan starts.Threats report contains data about threats detected. A text fi le with the name threats.xml isrecreated each time the computer is scanned.
All the reports are saved to the <product installation directory>\Reports folder.
Actions
Disable reports1. Open the Program settings window from the program's context menu and select the Reports
section.2. Uncheck the Create reports checkbox.
or
3. Uncheck a checkbox of a required type of reports. The Safe'n'Sec will stop creating reports of thespecified type.
Change how long reports are to be kept
42 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
1. Open the Program settings window from the program's context menu and select the Reportssection.
2. Specify the number of days reports are to be kept in the corresponding field.
Remove all reports1. Open the Program settings window from the program's context menu and select the Reports
section.2. Click the Clear button3. Delete all fi les from the <product installation directory>\Reports.
7.6 Notifications
When the Safe'n'Sec is installed the following notification properties are defined:
Show notifications: All.
When the program generates an event i t displays specia l noti fi cation windows. Depending on the
seriousness of an event a noti fi cation can be one of the fol lowing origins :
Protection status - indicates that protection status has changed or there are errors in protectioncomponents.Program update - indicates that errors in program update process are thrown.Computer scan - indicates that new threats have been detected or there are errors in the scanningprocess.Learning mode - used during creating of application activity rules.Reports - used when automatically deleting reports.License - used to notify you about the state of the l icense or when the l icense expires.
Actions
Disable notifications1. Open the Program settings window from the program's context menu and select the Notifications
section.2. Uncheck the Show notifications checkbox
or
3. To disable showing a notification of a specific origin uncheck the corresponding checkbox.
7.7 Program recovery
When the Safe'n'Sec is installed backup copies of program settings and activity policies are created. If
the program or other applications fault you are able to restore the settings and policies from these
backups.
43Settings
© 2010 S.N.Safe & Software Ltd.
Actions
Save program state1. Open the Program settings window from the program's context menu and select the Recovery
section.2. Click the Save button.
Recover program1. Open the Program settings window from the program's context menu and select the Recovery
section.2. Specify the recovery point marked with the Program setup in order for the Safe'n'Sec to restore its
settings as they were when the program was first installed.or
3. Specify the recovery point of a certain date in order for the Safe'n'Sec to restore its settings tothose saved on the specified date.
4. Click the Recover button.
IMPORTANT
Program recovery completely rewrites current settings and all the data concerning application
activities. It is not possible to merge data of the current settings and activity log with the backup data.
8 S.N.Safe'n'Software
S.N.Safe & Software Ltd. is the company-developer of information security solutions for personal users
and business and corporate clients.
S.N.Safe & Software Ltd. was founded in 2006 in Moscow as a result of Safe'n'Sec project spin-off from
StarForce Technologies.
In 2003 StarForce’s developers decided to use their experience of anti-hacker measures for development
of computer protection systems, particularly Host-based Intrusion Prevention Systems, based on
proprietary Safe'n'Sec technology.
Safe'n'Sec HIPS version for individual PC protection was released in October 2004. Idea to begin from
the product for PC users was proved with the novelty of behavior analysis technology for Russian IT-
market. It was decided to check the technology’s reliabil ity on a mass basis with the help of non-
advanced users. Autumn, 2004, a new version was presented to Softool exhibition’s visitors; there we
got a lot positive users comments.
44 Safe'n'Sec
© 2010 S.N.Safe & Software Ltd.
In 2005 we presented our novelty to foreign IT-market at the global ICT fair CeBIT 2005, Germany. In
2005 Safe'n'Sec Business version was developed considering special needs of SMB networks. In the
same time Panda released its TruePrevent, a first analog of our product.
In 2006 we presented Safe'n'Sec Enterprise for large corporate networks at Softool in Russia, and at
Systems in Munich, Germany. This version especially developed for efficient protection of corporate
networks of more then 1 000 work stations.
In 2006 we released a special version Safe'n'Sec Timing the system for control of applications activity
and users actions in corporate network. Host Intrusion Prevention Systems became the accepted
Information security technology.
In 2007 the company released Safe'n'Sec Pro providing the constant and reliable PC protection from
known and unknown threats and vulnerabil ities. At that time our main competitors released their first
solutions in this sphere. In the end of 2007 basing on Safe'n'Sec Pro we released a new corporate
version Safe'n'Sec Enterprise Pro.
In company’s plans for near future development of technologies including into complex protection
system Safe'n'Sec, and release of solutions for other OS (Linux, Apple).
Index 45
© 2010 S.N.Safe & Software Ltd.
Index
Activity policy 37
Application control policies 8, 16
Application properties Common 26
Log 27
Restrictions 28
Ask user when complete 9
Ask user when detected 9
Automatic 10
Automatic update 40
Change application control policy 37
Change program settings 37
Change report l ifetime 41
Computer scan Anti-virus 31
Change threat response 33
Interrupt scan 31
Manually treat threats 34
Obtain information about the object found 34
Protection scope 33
Rootkit 31
Scan archives and e-mail bases 31
Scan results 33
Send objects found to Support 34
Start scan 31
Threats found 34
View scan report 31, 33
View threats found list 33
Context menu 7
Control panel 8
Custom rules 28
Delete all reports 41
Disable notifications 42
Disable sounds 40
Enable learning mode 37
Enable protection 37
Enable reports 41
Hide tray icon 40
Last scan 9
Last search for updates 10
Learning mode 37
Make decision on threats found 39
malicious code 4
No threats found 9
Notifications 28Policy violation 30
Unknown application launch 29
On demand 10
Processes and applications Application's properties 25
Program recovery 42
Program settings 37
Program update 40Automatic update 35
Interrupt update 35
Setup automatic update 35
Setup network connection 35
Start update 35
View update report 35
Safe'n'Sec46
© 2010 S.N.Safe & Software Ltd.
Protect settings with password 40
Protect with password 40
Protection status 8
Quarantine 9
Restore program settings 37, 42
Safe'n'Soft 43
Scan 9
Scan all fi les/unknown threats 39
Scan archives and e-mail bases 39
Scan for rootkits 39
Scan has never been conducted 9
Scan is unavailable 9
Scan took place long ago 9
Setup automatic update 40
Setup network connection 40
Startup mode Automatic 10
Threat response 9
Threats found 39
Unknown application 28
Untreated threats exist 9
Updates are out of date 10
Updates are unavailable 10
Updates are up to date 10
Updates installed 10
What is Safe'n'Sec 4