2 Table of Contents Person… · 2 Safe'n'Sec © 2010 S.N.Safe & Software Ltd. Table of Contents 0 Chapter I Introduction 4 1 What is Safe'n'Sec ..... 4

Safe'n'Sec2

© 2010 S.N.Safe & Software Ltd.

Table of Contents0

Chapter I Introduction 4

................................................................................................................................... 41 What is Safe'n'Sec

................................................................................................................................... 52 How it works

................................................................................................................................... 63 System requirements

Chapter II Graphical User Interface 7

................................................................................................................................... 71 System tray icon

................................................................................................................................... 72 Context menu

................................................................................................................................... 83 Control panel

......................................................................................................................................................... 8Protection status

......................................................................................................................................................... 9Scan

......................................................................................................................................................... 10Program update

......................................................................................................................................................... 10License

......................................................................................................................................................... 11Help and support

Chapter III Getting started 12

................................................................................................................................... 121 Program activation

................................................................................................................................... 132 Program update

................................................................................................................................... 133 Scan

................................................................................................................................... 144 Create system profile

Chapter IV Protection 15

................................................................................................................................... 161 Activity control

................................................................................................................................... 172 Learning mode

................................................................................................................................... 183 Control policy

......................................................................................................................................................... 19Activity policies

.................................................................................................................................................. 21File system

.................................................................................................................................................. 21System Registry

.................................................................................................................................................. 22Netw ork

.................................................................................................................................................. 23Devices

......................................................................................................................................................... 23Processes and applications

......................................................................................................................................................... 25Application properties

.................................................................................................................................................. 26Common properties

.................................................................................................................................................. 27Activity log

.................................................................................................................................................. 28Custom rules

................................................................................................................................... 284 Notifications

......................................................................................................................................................... 29Unknown application launch

......................................................................................................................................................... 30Policy violation

Chapter V Scan 31

................................................................................................................................... 331 Objects

3Table of Contents


................................................................................................................................... 332 Scan results

................................................................................................................................... 343 Threats detected

Chapter VI Program update 35

Chapter VII Settings 37

................................................................................................................................... 371 Activity control

................................................................................................................................... 392 Scan

................................................................................................................................... 403 Updates

................................................................................................................................... 404 Interface

................................................................................................................................... 415 Reports

................................................................................................................................... 426 Notifications

................................................................................................................................... 427 Program recovery

Chapter VIII S.N.Safe'n'Software 43

Index 45

4 Safe'n'Sec


1 Introduction

Dear customer!

S.N.Safe & Software Ltd. thanks you for choosing the Safe'n'Sec. Our experts do their most to make the

program both meet the highest requirements in the field of information protection and be handy in use.

We believe that the Safe'n'Sec will be helpful for you. This manual is a property of the S.N.Safe &

Software Ltd. and must not be used without prior written permission from the company. It is prohibited

to reproduce parts of this manual, make changes, distribute electronically or by any other means

without prior written permission from the company and a reference to the source.

All the names used throughout this manual are trademarks of the S.N.Safe & Software Ltd. company and

other respective owners.

Contents of the manual may change without notice. Please, send your feedback to support@safensoft.

com.

S.N.Safe & Software Ltd., 2004-2010

All rights reserved

1.1 What is Safe'n'Sec

The Safe'n'Sec is a program which aims at protecting your data from unknown threats and

vulnerabil ities. The program util izes bleeding edge technologies to detect malicious code. These are

the proactive technologies. A threat is identified solely by its behaviour, disregarding its executable

code. Furthermore, it absolutely makes no difference what kind of threat it is: a virus, a hacker

attack, a trojan program, etc.

The Safe'n'Sec ensures that:

data is protected from new viruses and hacker attracts by means of strict control of any sort ofactivity that might occur on a computer. Any software activity is examined in detail and in case anythreat is detected all unsafe operations are securely blocked.the system is protected from break-in and unauthorized access via detecting exploit attacks, systemregistry and services changes, and by restricting access to your data (documents, address books,logo, etc).well-known malicious programs are searched for and neutralized (viruses, trojan programs,network worms, spy programs, etc.) on a computer. Antivirus bases of the famous antivirussoftware vendors are used during the search. This feature is available only you have purchased theextended delivery set.it is automatically updated via the Internet. Our experts continually study new threats andvulnerabil ity development trends. This knowledge helps them build update packets that are

mailto:[email protected]

mailto:[email protected]

5Introduction


automatically delivered to your computer at proper time.detailed reports regarding the functioning of the program are kept. The reports are stored in a formof a plain text fi les. You can view the reports at any time you wish.

It is not a malicious code that threatens your data, but what the code actually does. A virus can l ive

in a computer for years without ever causing any harm at all . Your data gets corrupted not by the

virus itself, but due to the malicious actions it performs. Reactive technologies such as anti-viruses

are able to detect malicious software only if a corresponding virus signature record exists in an

anti-virus database whereas proactive technologies are able to detect a malicious program when it

tries to perform harmful actions. Thus, proactive technologies are always a step ahead of reactive

ones.

1.2 How it works

The main purpose of a protection system is that it must preserve the initial integrity of the Operating

System and all its components, including those that were installed by you. Any change to the Operating

System components integrity can be introduced by no one, but you alone. The standard integrity control

is implemented in an original manner. The program carries out automatic setup during which it checks

the Operating System components integrity and records them in a service database. Any executable

module is loaded only after it successfully passes a test against the service database. Any unknown

application (the application that has no record in the service database associated with it) can be

started and executed only in the current Operating System session and only if it is you who initiated its

startup. It is you who is responsible for making a decision on whether a new application should be

considered as a system component.

Let us consider an attack scenario during which a flaw in an Operating System component (web

browser, e-mail cl ient, instant messenger, P2P client, etc.) is exploited. During execution of a malicious

shell code the following steps are taken:

new executable modules are installed (copied to the system directory) and registered to be auto-started during the Operating System start;one or more Operating System components are infected. The intruder's goal consists in acquiringcontrol over the Operating System keeping it stable at the same time.

Since the Safe'n'Sec allows to load only those executable modules that were registered in the service

database in advance - new executable modules will fail to run. Those system components that were

modified by the malicious shell code will also fail to start. You will be notified about these failures.

There is no need to ask your permission to start any of the aforementioned modules since it is not you who

is responsible for the Operating System components integrity change.

6 Safe'n'Sec


When a new application starts install ing the protection system notifies you that an unregistered

application tries to launch:

Application launch. The application is allowed to start and load any additional executablemodules that miss the integrity check against the service database. Let's suppose such anapplication is a malicious one. In this case, it can even install additional components into theOperating System, sti l l , they will be allowed to execute ti l l the next time the Operating System isrestarted. Upon system restart they will be denied loading since they are not registered in theservice database.Application launch is prohibited. No comments.New application installation. In this case, the protection system registers in the service databaseall the new components the application installs. The application and its components are grantedrights to start.

By default, only those modules that reside on a hard drive are registered in the service database. Those

executable modules that are distributed as parts of application resources, archives, and the l ike will

not be initially registered. In order for such sort of applications to work properly the protection system

allows to start them in the Install mode, which is the same mode of operation of the Safe'n'Sec program

when a new application is installed. The Safe'n'Sec should activate the Install mode for a given

application only once in the application's l ife in order to register all the executable modules the

application might have in a form of embedded resources, archives, etc. Next launch of the application

may be controlled by the protection system in the normal mode without the need for you to perform

extra actions.

If during the protection system installation process a rootkit exists in the Operating System and this

rootkit is loaded after the Safe'n'Sec program loads at system startup the rootkit will fail to run, since

its hidden modules are unknown to the protection system and are not registered in the service

database.

1.3 System requirements

Operating Systems Hardware requirements

· Microsoft Windows 7 Home Bas ic x86/x64

· Microsoft Windows 7 Home Premium x86/x64

· Microsoft Windows 7 Profess ional x86/x64

· Microsoft Windows 7 Ul timate x86/x64

· Intel Pentium x86/x64, 800 MHz or compatible

· 512 Mb RAM or more

· At least 150 Mb of free disk space

· Microsoft Windows Vis ta Home Bas ic x86/x64 (SP1)

· Microsoft Windows Vis ta Home Premium x86/x64 (SP1)

· Microsoft Windows Vis ta Bus iness x86/x64 (SP1)

· Microsoft Windows Vis ta Ul timate x86/x64 (SP1)




7Introduction


· Microsoft Windows XP Home Edi tion (SP 3)

· Microsoft Windows XP Profess ional Edi tion (SP 3)

· Microsoft Windows XP Profess ional x64 Edi tion (SP3)




2 Graphical User Interface

The Safe'n'Sec is known for its rather simple and handy interface. This chapter covers its base elements.

System tray icon

Contect menu

Control panel

2.1 System tray icon

As soon as the Safe'n'Sec finishes install ing onto user computer it displays its icon in the system tray.

The icon plays role of the program activity indicator. It displays status of the protection and a number

of state the protection system can be in:

- protection is activated;

- protection is deactivated;

- automatic program setup;

- protection is being updated;

- computer is being checked.

The icon also provides access to the main elements of the program's interface: context menu and the

control panel.

In order to activate the context menu, please, cl ick the program's icon with the right mouse button.

In order to activate the control panel, please, double click the program's icon with the left mouse

button.

2.2 Context menu

To open the context menu you should right click the program's icon. The menu contains items that

provide quick access to the controls and setup of the Safe'n'Sec:

Safe'n'Sec item allows you to open the program's main window the control panel.Settings item allows you to view and change program's parameters.Activity Policies item allows you to change application activity policies.Processes and applications item takes you to viewing and changing application parameters.

8 Safe'n'Sec


Scan item allows you to start checking your computer for malicious objects.Update item starts the program's update process.Enable/disable protection item allows to change the state of the protection system.About item shows up the About box with information on the Safe'n'Sec.Show program icon item allows to toggle visibil ity of the program's icon in the notification area.Exit item allows to shut down the graphical user interface of the program. Note that the protectionmodule will sti l l be running.

2.3 Control panel

The control panel is the main window of the Safe'n'Sec program. It contains the following sections:

Status is responsible for managing parameters of the computer protection.Scan allows you both to scan your computer for malicious code and to manage scan settings.Update manages program updates process and its settings.License displays legal information regarding your l icense, program activation, and l icense scopeprolongation.Help and support section contains information about the version of the Safe'n'Sec and allows tosend an inquiry to the support service.

2.3.1 Protection status

The Status section displays the current status of the protection system:

Computer is protected assures you that all the protection regions are under control, and theprogram is stable.Partial protection indicates that at least one of the protection regions is out of control.Unprotected notifies you that the protection system is disabled altogether.

To change the protection status you should click the corresponding l ink with the left mouse button:

File system l ink toggles fi le system protection.System registry l ink toggles the system registry protection.Network l ink toggles protection of the network connections.

The lower part of the window contains base information about application activities and allows to

change settings of the application control:

Applications running displays the number of currently running processes.Trusted applications displays the number of trusted and well-known applications. The trustedapplication l ist is populated automatically at the phase of program automatic setup or manuallyby you.Controlled applications displays the number of application whose activities are controlled byapplication activity policies. The l ist is populated either automatically when an unknownapplications starts or manually by you.Applications blocked displays the number of applications that were blocked. A blocked applicationwill fail to start as long as Safe'n'Sec protection is enabled.Last incident show information about the last blocked application.Settings l inks to application activity control parameters.

9Graphical User Interface


Actions

Enable protection1. Click the Settings l ink in the Status section of the Control panel.2. Disable the Enable checkbox for the program to stop controll ing its protection scopes.

or

Click the Change button in the Protection mode group and uncheck a checkbox corresponding to

that protection scope you no longer need to control.

Change policy rule1. Click the Settings l ink in the Status section of the Control panel.2. Click the Change button in the Application control policies group.

2.3.2 Scan

The Scan section displays information regarding the last malicious code search and allows to change

settings of the scan process:

Scan has not been performed indicates that scan for the malicious code has never been conducted.No threats found indicates that the last scan either did not reveal any malicious code or alldetected threats have been neutralized.Untreated threats exist indicates that during the last scan a number of malicious objects havebeen detected, but not all of them were neutralized. It is recommended to update the program andrescan it or manually neutralize the untouched threats using the detected threats l ist.Scan data is obsolete indicates that more than 5 days have passed since the last scan. It isrecommended to conduct a computer scan again.Scan is unavailable indicates that the program is not activated. In order to activate the program youshould provide a l icense key.Last scan displays detailed information about the last scan.Threat response specifies what the program should do in case a threat is detected:

Automatic specifies that an attempt should be made to treat the infected object detected ordelete it if treatment is not possible.Ask user when complete specifies that the program should ask you about what should be doneto the infected object when the scan completes.Ask user when detected specifies that the program should ask you to make a decision on whatshould be done to a malicious object each time such object is detected.

Settings al lows you to change scan settings.Quarantine shows you a l ist of objects moved to quarantine.

Actions

Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation

directory>\Reports folder and open a scan<scan date and time>.txt fi le.

10 Safe'n'Sec


2.3.3 Program update

The Update section displays information about the last program update and allows you to change

update settings:

Updates are out of date indicates that the update routine has never taken place or since the lastupdate more than 5 days have passed. It is recommended to update the program.Updates are up to date specifies that the program is up-to-date.Updates are unavailable specifies that the program is not activated or l icense key has expired. Inorder to perform program update you should provide a l icense key and activate the program orextend the l icense.Last search for updates displays detailed information about the last search for available updates.Updates installed displays details about the last updates installed.Startup mode specifies when the update routine starts:

Automatic specifies that the update routine should start automatically.On demand specifies that the update routine should start on demand.

Settings al lows you to change update settings.

Actions

Interrupt update1. Click the Stop update button in the Update section of the Control panel. The update process can

actually be stopped only at the phase when either updates are being downloaded or installed.2. To view the state of the update process click the More l ink.View update report1. Click the Installed updates l ink in the Update section of the Control panel.2. To view reports on previous updates you will have to navigate to the product installation

directory\Reports folder and open a update<update date and time>.txt fi le.

2.3.4 License

In the License section you are shown information about the l icense key:

Active license indicates that the program has been activated and is fully functional.License is about to expire indicates that the l icense will expire in less than 5 days.License has expired indicates that the l icense has expired and the program works now with l imitedfunctionality. It is recommended to extend or buy a new license.No license indicates that the program does not work. It is recommended to provide a l icense keyand activate the program.License type

Commercial license indicates that the scope of the l icense key is defined at the moment oflicense purchase or prolongation. When the key expires it is possible to extend it or buy a newlicense and reactivate the program.Trial license indicates that a free l icense key is installed. The scope of such a key is determinedby the l icense agreement for trial l icense keys. Upon license expiration it is impossible toreactivate the program.

License expiration date specifies the l icense key expiration date.License validity term (days) specifies the number of days the l icense key will be valid for.Protection components specifies those program modules that are activated with this particularlicense key:

11Graphical User Interface


Safe'n'Sec Core (Core) is the base proactive protection component of the Safe'n'Sec.Safe'n'Sec Rootkit Detector (RD) is the base component responsible for rootkit detection.Anti-Virus (AV) is an extra component for detecting viruses, trojan programs and othermalicious objects.Anti-Spyware (AS) is an extra component responsible for detecting spy programs.

License terms specifies l imitations imposed upon license key expiration:Update indicates that program updating is disabled.Settings indicates that you cannot change program settings and activity policies.Scan indicates that you cannot scan your computer.

Read license agreement show license text.Buy license navigates you to the company's online store where you would be able to extend or buynew license key.

Actions

Activate program1. Provide the l icense key in the Number fi led and click the Activate button.2. In case Internet connection is available the program will automatically get activated

or

3. In case no Internet connection is available the program will suggest Manual activation option.4. You will be suggested to contact the Support service by phone and provide them with the serial

number and hardware code.5. Type the l icense key obtained from the Support service in the Number field and click the Activate

button.Extend license1. Click the Buy license button. You will be navigated to the company's online store.2. Choose an appropriate product in the store.

2.3.5 Help and support

In the Help and support section you are provided with the information you will be asked when

contacting with the Support:

Safe'n'Sec version.Safe'n'Sec update version.Version of your Operating System.

Actions

Contact Support1. To send a request to the Support service, establish Internet connection.2. Click the Send request to Support via E-Mail l ink to send your request by e-mail.3. Click the Send request to Support via web form l ink to send your request using an online web site

form.

12 Safe'n'Sec


3 Getting started

The Safe'n'Sec is optimally configured upon installation.

When first started a new profile wizard is automatically activated. The wizard helps automatically

setup the program.

It is l ikely that your computer might have been infected before the Safe'n'Sec is installed. You are

advised to perform a full computer scan to detect and treat existing malicious programs.

It is also recommended to perform antivirus bases and program update, for the antivirus bases might

have got out of date and bug fixes might have been introduced to the program itself.

As soon as the aforementioned steps are taken the program is ready to run.

3.1 Program activation

What functionality of the Safe'n'Sec you can use is determined by the l icense key you have. The key is

provided when you purchase the product and allows you to use the following components as soon as it

is installed:

Safe'n'Sec Core (Core) which is the base component of the Safe'n'Sec for executing proactiveprotection.Safe'n'Sec Rootkit Detector (RD) is the base component responsible for detecting rootkits.Anti-Virus (AV) is an extra component which searches for viruses, trojan programs and othermalicious program code.Anti-Spyware (AS) is an extra component for which aims at detecting spy programs.

The Safe'n'Sec will not work without a key, unless it is activated in trial mode.

Upon license key expiration the product remains fully functional except for you will be not able to

perform program update. You will sti l l be able to use protection components and perform scan, but

using the antivirus database you downloaded last when the l icense key was sti l l active. Therefore, we

provide no guarantee of 100% protection from those malicious programs that have emerged since the

date your l icense key has expired.

To avoid infecting your computer with new viruses you are recommended to extend you l icense key. A

week before it expires the program will start notifying you about this - upon each start of the program a

corresponding notification message will be displayed.

There are two ways you can activate the program:

Automatic activation - in this case you provide the serial number and the program automatically

13Getting started


obtains a corresponding l icense key from one of the company's internet servers and activates itself.Manual activation - in this case you will be required to transfer the serial number and hardwarecode to the Support service by phone or e-mail, receiving a l icense key by phone or e-mail andmanual program activation.

A serial number consists of a sequence of digits separated by hyphens into a number of blocks

containing no spaces. Note that the serial number should be typed in English letters. In case you

purchased the program in a box the serial number will be printed on the setup disk envelope.

Actions

Activate program1. Provide the l icense key in the Number fi led and click the Activate button.2. In case Internet connection is available the program will automatically get activated

or

3. In case no Internet connection is available the program will suggest Manual activation option.4. You will be suggested to contact the Support service by phone and provide them with the serial

number and hardware code.5. Type the l icense key obtained from the Support service in the Number field and click the Activate

button.

3.2 Program update

The Safe'n'Sec program is supplied with antivirus and spy programs databases. These databases andthe program are updated on a regular basis including with each update new antivirus records andprogram bug fixes. However, it is l ikely that these databases and the program executable code are out-of-date already at the moment you install the program.

In order to keep protection level high you are advised to perform update of the program and thedatabases immediately after you install the program.

Actions

Start update1. Click the Start update button in the Update section of the Control panel.2. To view the state of the update process click the Details l ink.

3.3 Scan

Your computer is l ikely to be infected with malicious programs prior to install ing the Safe'n'Sec. You are

recommended to perform total computer scan to treat all the threats present.

14 Safe'n'Sec


Actions

Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.

3.4 Create system profile

In order to ensure utmost computer protection the Safe'n'Sec creates a System profile at the first time it

starts. The profile al lows to:

Classify al l the applications installed into safe/known and potentially harmful/unknown.Execute unknown applications in a sandbox and automatically block their malicious activities.Make user interaction less required when deciding what to do with an application.

To create a System profile you have to take the following steps:

Update automatic setup components via the Internet. If Internet connection is unavailable thealready present components are used.Search and collect information about all executable fi les (exe, com, dll, etc.)Identify executable files by the following criteria:

An application is digitally signed.A corresponding record for an application exists in a Windows cat fi le.A corresponding record for an application exists in the white l ist of the Safe'n'Sec.

Define rules of application execution:Trusted or well-known application.Restricted application.Blocked application (execution is prohibited).

Scan application's files with the anti-virus module.

After the System profile is created, the program tracks new or unknown applications (those ones that

are not described in the System profile), blocks harmful actions and notifies you about their suspicious

activities.

NOTE

The process of creating the system profile can take long time depending on the amount of installed

software. It is recommended to minimize program's windows to Windows task bar and proceed with your

work.

IMPORTANT

Immediately after the program finishes its installation the protection system is switched off. You are

advised to perform initial setup of the program via creating the System profile. As soon the profile is

15Getting started


created the program will automatically switch the protection on.

Actions

Cancel initial setup1. Click the Stop button in the Automatic setup window.2. The program will ask you to create a System profile later.

4 Protection

The major task of the Safe'n'Sec is to protect user data from yet unknown threats and vulnerabil ities.

The protection consists of:

Control which means the program tracks all the activities occur on computer: starting/stopping ofsystem services, execution of the software installed, user actions, etc.Analysis means the program analyzes sequences of actions of any application.Decision making which means the program decides whether an application harmfully misbehavestaking into account the results of the application's actions analysis.

What to control and how to analyze an application is determined by activity policies. Decision making

is based on information about what actions has an application performed and their sequence.

The result of the decision making process is fixed in a status assigned to a controlled application.

Following is a l ist of possible statuses:

Malicious application which means that what the application does may do harm to your data. Assoon as such an application is detected the Safe'n'Sec notifies you with detailed description ofactions the threat has performed.Safe marks an application as being not malicious. However, the Safe'n'Sec sti l l continuescontroll ing such an application.

The Safe'n'Sec comprises the following proactive protection components:

Application activity control.

Learning mode.

Application activity policy

Activity policy rules

Managing applications and processes

16 Safe'n'Sec


4.1 Activity control

You can find out whether activity control is enabled in the Status section. You are advised to never s top

activi ty control , for as soon as i t i s off the computer protection i s a lso s topped. The Safe'n'Sec controls

the fol lowing areas by defaul t

File system. This area encompasses actions regarding fi le creation, opening, changing and deletion.A malicious program can create fi les and execute them. One more goal of a malicious program is todelete or change system files, unauthorized access and theft of user's sensitive data. That is whysuch activities are under control fo the Safe'n'Sec.You are not recommended to switch controlling of this area off. The program contains a file systemcontrol policy and you can of course change it.

System registry. This area encompasses actions regarding to adding, deleting and changing ofsystem registry keys and values. A malicious program can change system registry keys to registeritself for automatic start upon the start of the Operating System, substitute other programs with itsown malicious modules, delete critical for system stabil ity registry keys, etc. Unauthorizedchanging of Windows settings and your programs may lead to overall system instabil ity.It is not recommended to switch control of this area off, especially when you explore the Internet. The

program has a system registry controlling policy and does not require extra tuning, however, should

need arise it is possible to change it.

Network. This area deals with actions regarding to establishing network connections, sending andreceiving data over the network. Many programs have to refer to data sources hosted on theInternet or local network to obtain necessary data for them to work or send certain data to suchsources. For instance, when an ICQ client starts it sends user login and password to the ICQ server.Malicious programs are able to steal and transfer your private data to their counterparts on theInternet, open unauthorized network connections in order to install and successfully run trojanprograms. Hackers explore your computer over the network to see if it has any actualvulnerabil ities and whether it is possible to perform network intrusion.You are advised to not switch control of this area off, especially when you are navigating the Internet

and do not use a firewall. The program has a network control policy and does not require further

tuning. However, you can change its settings of course.

IMPORTANT.

Network activities are controlled by firewalls. If a firewall is installed on the computer you are

recommended to switch network controlling off in order to avoid software conflicts between the firewall

and the Safe'n'Sec.

Devices. This area encompasses all the attachable devices via which malicious programs canpenetrate the computer.

Actions

Turn protection off

17Protection


1. Open Program settings window and select the Activity control section.or

Click the Settings l ink in the Status section of the Control panel.

2. Uncheck the checkbox Enable in order to totally switch the protection off.or

Click the Settings button in the Protection mode group and uncheck a checkbox corresponding to

that protection area you no longer need to protect.

Change policy rule1. Click the Settings l ink in the Status section of the Control panel.2. Click the Change button in the Application control policies group.

4.2 Learning mode

The Safe'n'Sec controls application activities and application actions data for further analysis. After

the program is installed it uses the default database of well-known applications and associated

activity policies. The database is periodically update along with the program update. However, there

may be applications that are not known to the Safe'n'Sec and certain actions of such programs can be

treated by the program as potentially harmful. The learning mode aims at automatic analyzing of an

unknown application and establishing its activity control policy. An activity control policy is created

solely by the program itself without the need of any user interaction.

IMPORTANT.

The learning mode helps automatically setup the program to work with your applications. Before

enabling the learning mode you are recommended to perform full computer scan.

Actions

Start Learning mode

18 Safe'n'Sec


1. Open the Program settings window from the program's context menu and select the Activitycontrol section.or


2. Check the Learning mode checkbox.3. Click the Settings button in the Protection mode group and specify the number of days the mode

should be active in case you need to prolongate this phase. Default is 5 days.

NOTE

The Learning mode can have limited period of activity. If no unknown to the Safe'n'Secsoftware or no new activities of such software is detected for a certain period of time theSafe'n'Sec will automatically finish the Learning mode.

4.3 Control policy

Data protection is exercised according to an activity policy.

An activity policy represents a set of rules which determines what actions of an application are analyzed

and how this is done. Therefore, the rules are used to make a decision on whether an application is a

malicious one. It is the activity policy that determines what actions and what action sequences are to

be considered as harmful.

An activity rule is a set of conditions that enumerate an application's activities and actions that the

Safe'n'Sec takes when such activities occur. The conditions of an activity rule define a control scope

which specifies the objects under control, how the Safe'n'Sec treats these objects, the associated

application, etc.

The preventive technologies upon which the Application activity control is based allow to disarm an

unknown threat before it starts misbehaving. Opposed to the reactive technologies that use malicious

code signature database to detect harmful applications the proactive technologies take into

consideration sequences of actions of an application to bring a verdict. If an application's activity

sequence seems to be suspicious the Safe'n'Sec blocks such an application.

For the sake of an example let's consider a typical sequence of actions that characterizes a malicious

application. The Safe'n'Sec will certainly consider an application to be a threat if the application copies

an executable into the system folder, auto start folder, system registry and distributes its copies. In this

particular case the Safe'n'Sec will classify the application as a worm.

19Protection


Harmful actions may also encompass:

actions typica l for trojan programs;

attempts to intercept keyboard input;

hidden driver insta l l ;

attempts to changing Operating System kernel ;

The Application activity control interface consists of:

Activity policies

Managing applications and processes

4.3.1 Activity policies

The Activity policies section of the Policy rules window contains information about general rules

imposed on all applications when resource (fi les, folder, system registry, etc.) or device access is

detected. These rules are grouped into Common rules:

File system.System Registry.Network.Process privileges.Devices.

A default set of rules is shipped with the program. The set is developed by the company's experts as a

result of analyzing malicious code behaviour.

Actions

Block access to fi le object1. Switch to Common rules section in the Application control policy window.2. Select the File system protection scope from the drop-down list.3. Select a fi le system object in the tree and

Check the Read checkbox in order to protect the fi le from reading by applications. This willautomatically block changing and deletion of the fi le.Check the Change checkbox to protect the fi le object from creation and altering by applications.Check the Delete checkbox to protect the fi le object from being deleted.

4. A folder can have nested fi le system objects - other folders and fi les. Click the Yes button in thePropagate dialogue to propagate the specified restrictions onto all the nested objects of thecurrent one.

5. Click the Apply button to make the changes to the policy active.Block access to a System Registry object1. Switch to the Common rules section in the Application control policy window.2. Select the System Registry protection scope from the drop-down list.3. Select a System Registry object in the tree and

Check the Read checkbox to protect the specified object from reading. This will alsoautomatically protect the object from changing and deletion.Check the Change checkbox to protect the object from creation or changing.

20 Safe'n'Sec


Check the Delete checkbox to protect the object from being deleted.4. A System Registry key can have nested objects such as other keys or values. Click the Yes button in

the Propagate dialogue to propagate the specified rules onto all the nested objects5. Click the Apply button to bring the changes to the policy you have just made into action.Create a Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network protection scope from the drop-down list.3. Click the Add button.4. Supply a name of the network rule into the Name field.5. Specify the direction of data transfer from the Direction drop-down list. The default value is

Inbound/Outbound.6. Specify the network protocol from the Protocol drop-down list. The default value is TCP/UDP.7. Define the Local IP address or an address range in the appropriate fields. The default value is Any

address.8. Define the Remote IP address or an address range in the appropriate fields. The default value is

Any address.9. Click the OK button to save the rule.10.

In the l ist of network rules check the Block checkbox next to the rule created to blockcommunication of the specified network resource.

Change Network rule1. Switch to the Common rules section in the Application control policy window.2. Specify the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Edit button.Remove Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Delete button. The program will delete the rule and allow communication with the

specified network resource.or

5. Uncheck the Block checkbox next to the rule. The program will allow communication with thespecified network resource.

Block all network activities1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select the Any network activity network rule from the l ist and check the Block checkbox next to it.Deny using USB device1. Switch to the Common rules section in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices from the l ist and check the Read checkbox.4. Click the Apply button for the changes you have made come into action.Deny access to fi les on a USB device1. Switch to the Common rules in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices item in the l ist and:

Check the Read checkbox for the program to block read fi le object operations on all USB devices.Check the Edit checkbox for the program to block create and change fi le object operations on allUSB devices.Check the Delete checkbox for the program to block delete fi le object operations on all USBdevices.

4. Click the Apply button to apply the changes you have made.Hide unrestricted resources1. Switch to the Common rules section in the Application control policy window.2. Uncheck the Show objects without access restrictions checkbox.

21Protection


4.3.1.1 File system

The File system scope encompasses those access rules that deal with fi le system objects:

Reading of a fi le or a folder.Creating and Changing of a fi le or a folder.Deleting of a fi le or a folder.

Actions

Deny access to fi le system object1. Switch to the Common rules section in the Application control policy window.2. Select the File system scope from the drop-down list.3. Select a fi le system object in the object tree and:

Check the Read checkbox in order for the Safe'n'Sec to deny applications reading of the fi lesystem object. Denying reading blocks changing and deleting of the object as well.Check the Change checkbox for the program to deny creation or changing of the fi le object.Check the Delete checkbox for the program to block deletion of the fi le object.

4. A folder can have other nested fi le system objects such as other folders and fi les. Click the Yesbutton in the Propagate dialogue in order to propagate the specified restrictions onto all thenested objects of the current one.

5. Click the Apply button to apply changes.

4.3.1.2 System Registry

The System Registry protection scope allows you to create rules controll ing access to the Microsoft

Windows System Registry:

Reading of keys and values.Creating of keys and values.Deleting of keys and values.

Actions

Deny access to System Registry object1. Switch to the Common rules section in the Application control policy window.2. Select the System Registry protection scope from the drop-down list.3. Select a System Registry object in the tree and

Check the Read checkbox to protect the specified object from reading. This will alsoautomatically protect the object from changing and deletion.Check the Change checkbox to protect the object from creation or changing.Check the Delete checkbox to protect the object from being deleted.

4. A System Registry key can have nested objects such as other keys or values. Click the Yes button inthe Propagate dialogue to propagate the specified rules onto all the nested objects

5. Click the Apply button to bring the changes to the policy you have just made into action.

22 Safe'n'Sec


4.3.1.3 Network

The Network protection scope allows you to create access rules in regard to network resources:

Creating network connections.Transferring data to a remote computer.Receiving data from a remote computer.

A network rule comprises the following information:

Name specifies the name of the rule.Direction - specifies the direction of a network connection from the point of view of the connectionoriginator:

Inbound – indicates that the connection has been initiated by the remote counterpart.Outbound – indicates that the connection has been initiated by the local computer.Inbound/Outbound - encompasses both directions.

Protocol - specifies the name of the protocol used to establish the connection:TCPUDPTCP/UDP - either of these two.

Local address - specifies the IP address or a range of IP addresses of the local computer. The *.*mask identifies any available local network address.Remote address - specifies an IP address or a range of IP addresses of the remote computer. The *.* mask identifies any remote network address.

Actions

Create a Network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network protection scope from the drop-down list.3. Click the Add button.4. Supply a name of the network rule into the Name field.5. Specify the direction of data transfer from the Direction drop-down list. The default value is

Inbound/Outbound.6. Specify the network protocol from the Protocol drop-down list. The default value is TCP/UDP.7. Define the Local IP address or an address range in the appropriate fields. The default value is Any

address.8. Define the Remote IP address or an address range in the appropriate fields. The default value is

Any address.9. Click the OK button to save the rule.10.

In the l ist of network rules check the Block checkbox next to the rule created to blockcommunication of the specified network resource.

Change Network rule1. Switch to the Common rules section in the Application control policy window.2. Specify the Network scope from the drop-down list.3. Select an appropriate network rule from the l ist.4. Click the Edit button.Delete network rule1. Switch to the Common rules section in the Application control policy window.2. Select the Network from the drop-down list.3. Select a network rule from the l ist.

23Protection


4. Click the Delete button to delete the rule. The Safe'n'Sec will start allowing connections with theremote resource specified in the rule deleted.or

5. Uncheck the Deny checkbox next to the rule selected. The Safe'n'Sec will start allowingconnections with the remote resource specified in the rule deleted.

Block all network activities1. Switch to the Common rules section in the Application control policy window.2. Select the Network scope from the drop-down list.3. Select the Any network activity network rule from the l ist and check the Block checkbox next to it.

4.3.1.4 Devices

The Devices protection scope allows to create rules that control access to certain devices:

Reading fi le resources from USB devices.Creating and Changing fi le resources on USB devices.Deleting fi le resources on USB devices.

Actions

Deny using USB device1. Switch to the Common rules section in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices from the l ist and check the Read checkbox.4. Click the Apply button for the changes you have made come into action.Deny access to fi les on a USB device1. Switch to the Common rules in the Application control policy window.2. Select the Devices scope from the drop-down list.3. Select the USB Devices item in the l ist and:

Check the Read checkbox for the program to block read fi le object operations on all USB devices.Check the Edit checkbox for the program to block create and change fi le object operations on allUSB devices.Check the Delete checkbox for the program to block delete fi le object operations on all USBdevices.

4. Click the Apply button to apply the changes you have made.

4.3.2 Processes and applications

The Processes and applications section in the Application control policy window contains information

about all the applications on the computer:

Internal name - specifies the name of an application (read from the version info of an application)or name of a fi le.Status - specifies the status of an application:

Running - indicates that the application is currently executing.Grayed - indicates that the application is currently not running.

Restrictions - specifies a set of restrictions imposed on the application.

24 Safe'n'Sec


Custom - specifies that the application is a Trusted or Well-known one. The application iscontrolled by Custom restrictions only.Common or Custom - specifies that the application is under control of Common and Customrestrictions.Execution blocked - specifies that the application is blocked by the Safe'n'Sec.

Company - determines the producer of the application (read from the version info of theapplication).Product name - determines the name of the application (read from the version info of theapplication)Delete on restart - indicates that the application must be deleted the next time the OperatingSystem restarts. This approach is used to delete malicious programs that when running activelyprotect themselves from being deleted. The property is not displayed by default.

When an application first starts the Safe'n'Sec registers it in its service database and automatically

assigns restrictions:

Custom restrictions are assigned to Well-known or Trusted applications. Well-known applicationsare identified by a trusted digital signature and a corresponding record in Windows catalogue fi les(this is a common practice for all Windows system applications) and by "white l ists" managed bythe Safe'n'Sec. Trusted applications are those that are manually marked to be considered trusted byyou.Common and Custom restrictions are assigned to Unknown applications. An Unknown applicationis that which is installed on the computer after the Safe'n'Sec was installed. The Safe'n'Sec detectsinstallation of new software and suggest to mark the application as well-known if the installationprocess was initiated by you and originated from a trusted source.

Actions

Block application execution1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and from the context menu select the Block execution

item.

IMPORTANT

Please, be careful denying execution of an application. If you deny execution of a system service or

process it may lead to Windows inoperability.

Register new application1. Switch to the Processes and applications section in the Application control policy window.2. Click the Add button and specify an application in the Open file dialogue. By default the

application will be assigned Common and Custom restrictions.Mark application as Trusted1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and from the context menu select the Trust item.Change application properties1. Open the Program settings window from the program's context menu and select the Activity

control section.2. Click the Settings button in the Application control policies group.3. In the window opened select the Applications tab.4. Specify an application in the l ist and click the Properties l ink.

or

5. Click the Registered applications l ink in the Status section of the Control panel.

25Protection


6. Specify an application in the l ist and click the Properties l ink.Remove from Trusted1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications and from the context menu select the Remove from Trusted

item.Unregister application1. Switch to the Processes and applications section in the Application control policy window.2. Specify one or more applications in the l ist and click the Delete l ink.Delete application upon restart1. Switch to the Processes and applications section in the Application control policy window.2. Make the Delete on restart column visible in the l ist settings window.3. Specify required application in the l ist and from the context menu select the Delete on restart

item.Terminate application1. Switch to the Processes and applications section in the Application control policy window.2. Specify the application in the l ist and click the Terminate l ink.

IMPORTANT

Please, be careful specifying applications for termination. Terminating system processes may lead to

Windows restart.

4.3.3 Application properties

This chapter considers application properties:

Common

History

Restrictions

Actions

Change rules1. Switch to the Processes and applications section in the Application control policy window.2. Select an application from the l ist and click the Properties l ink.3. In the Common section click the Rules l ink and

Remove from Trusted to force the Safe'n'Sec assign Common and Custom rules to theapplication.Trust to tell the Safe'n'Sec to assign Custom rules to the application.Block application to block the application from running.

Anti-virus scan1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application in the l ist and click the Properties l ink.3. Click the Scan.

Enable activity log1. Switch to the Processes and applications section in the Application control policy window.

26 Safe'n'Sec


2. Specify an application from the l ist and click the Properties l ink.3. Check the Log application activities checkbox in the Log section of the Application properties

window.4. Check the Create backup copies for recovery checkbox to instruct the Safe'n'Sec to create backup

copies of all the fi le system and System Registry objects it alters or deletes.Recover changed objects1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.3. Specify one or more fi les or System Registry objects from the activity log in the Log section of the

Application properties window.4. Click the Recover button.

4.3.3.1 Common properties

The Common section of the Application properties window contains information about application's

fi le and restrictions assigned:

Path - specifies the full path to the executable fi le of the application.Size - specifies the size of the fi le in bytes.Created - specifies the date and time when the fi le was created.Changed - specifies the date and time when the fi le has last been changed.Description - provides description text from the fi le's version info.Application - provides product's description (read from the version info of the fi le).Company - specifies the name of the company produced the application (read from the version infoof the fi le).Rules - defines restrictions assigned to the application:

Custom - identifies either a Trusted or Well-known application. Custom restrictions only are ineffect.Common and custom - identifies an application with l imited functionality. Common andCustom restrictions are in effect.Execution blocked - indicates that the application is blocked from executing.User assigned - specifies that restrictions were manually assigned by you.Automatically assigned - specifies that restrictions were assigned by the Safe'n'Secautomatically according to the results from automatic setup.

Identification - specifies the identity of the application according to the following criteria:Certificate - whether the application has a trusted certificate (digital signature).Catalogue file - whether the application has an associated record in a Windows catalogue fi le(cat fi le).Safe'n'Sec database - indicates whether the application has an associated record in the "whitelist" of the Safe'n'Sec.<no data> - indicates that the application has not been identified.

Scan results - contains information about anti-virus scan of the application.

Actions

Change restrictions

27Protection


1. Switch to the Processes and applications section in the Application control policy window.2. Select an application from the l ist and click the Properties l ink.3. In the Common section of the Rule conditions group click the Restrictions l ink and

Remove from Trusted to force the Safe'n'Sec assign Common and Custom restrictions to theapplication.Trust to tell the Safe'n'Sec to assign Custom restrictions to the application.Block execution to block the application from running.

Anti-virus scan1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application in the l ist and click the Properties l ink.3. Click the Scan.

4.3.3.2 Activity log

The Log section in the Application properties window contains information about application activities

in regard to fi le resource and System Registry access:

Time - specifies the date and time of an event.Event - contains description of the event:

Start - specifies when the application has started.Stopped - specifies when the application stopped.Read - indicates that the application has performed reading of a fi le or a System Registry object.Change - indicates that the application has created or changed a fi le or a System Registry object.The objects changed can be restored.Delete - indicates that the application has deleted a fi le or a System Registry object. The objectsdeleted can be restored.

Object - specifies the name of the fi le or System Registry object.Result - specifies the result of restoring of a changed object:

Restored - indicates that the object has successfully been restored.Recovery error - indicates that the object cannot be restored.

The Safe'n'Sec stores backup copies of modified objects in the <Safe'n'Sec installation directory>\History

folder.

Actions

Enable activity log1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.3. Check the Log application activities checkbox in the Log section of the Application properties

window.4. Check the Create backup copies for recovery checkbox to instruct the Safe'n'Sec to create backup

copies of all the fi le system and System Registry objects it alters or deletes.Restore changed objects1. Switch to the Processes and applications section in the Application control policy window.2. Specify an application from the l ist and click the Properties l ink.

28 Safe'n'Sec


3. Specify one or more fi les or System Registry objects from the activity log in the Log section of theApplication properties window.

4. Click the Recover button.

4.3.3.3 Custom rules

The Rules section in the Application properties window contains information about Custom rules that

control an application when it accesses computer resources and devices. These rules are grouped into

the following:

File system.System Registry.Network.Process privileges.Devices.

Custom rules take precedence over Common ones. It is the Custom rules that are evaluated first. The

Safe'n'Sec may be shipped with a predefined set of rules established by the company's experts as a

result of examining behaviour of the given application. The process of changing Custom rules for an

application is exactly the same as the process of common ones changing.

4.4 Notifications

The Safe'n'Sec controls all activities of all the applications installed on the computer and notifies the

user about each violation of a control policy or an unknown application start.

This chapter dwells upon notifications of the Safe'n'Sec:

Unknown application launch

Policy violation

Actions

Install new software1. Launch the setup program of a new application.2. In the Notification window popped up by the Safe'n'Sec click the Details l ink.3. Check the Install new program checkbox and click the Execute button.Enable/Disable an activity for session

29Protection


1. In the Notification window click the Details l ink.2. Check the In this session checkbox in the appropriate group and click the Enable or Disable button.

The Safe'n'Sec will enable or disable the activity specified for as long as the current applicationsession.

For instance: an application tries to change a system file located within Windows system folder. The

Safe'n'Sec will notify you about an attempt to the this file only once and if you choose to disable the

activity all the subsequent attempts to change system files will be blocked. Next time when the

application tries to again change a system file the Safe'n'Sec will again notify you about such an

attempt.

Enable/Disable activity as a rule1. In the Notification window click the Details l ink.2. Check the Remember checkbox in the appropriate group and click either Enable or Disable button.

The Safe'n'Sec will remember your choice.

For instance: if an application tries to change a system file in the Windows system folder the

Safe'n'Sec will notify you about such an attempt. If you choose to block such an action and specify to

Remember your choice the Safe'n'Sec will never ever let the application change system files in Window

system folder without even popping up the Notification window.

4.4.1 Unknown application launch

When an unknown application tries to launch the Safe'n'Sec notifies the user and asks to make a

decision on whether the application should be allowed to start. The Notification window comprises two

parts:

Application description. This block contains information about the application: its name, producercompany, path.Action. Specifies what to do with the application:

Run - specifies that the application should be allowed to start. If you know for sure the source ofthe application is trusted you are recommended to allow it to start.Block - specifies that the application should be blocked. You are advised to choose this action ifthe application has come from an intrusted source or it is not you who initiated its launch.

NOTICE

If you fail to make a decision on whether the application should be allowed to start in 5 minutes the

Safe'n'Sec will block the application and close the Notification window.

Actions

30 Safe'n'Sec


Install new software1. Launch the setup program of a new application.2. In the Notification window popped up by the Safe'n'Sec click the Details l ink.3. Check the Install new program checkbox and click the Execute button.

4.4.2 Policy violation

When an activity policy is violated the Safe'n'Sec notifies the user about this fact. In most cases the

program requires no user interaction to block suspicious activity. The Notification window comprises

three sections:

Caption. It contains concise description of the event occurred, for instance: protected fi le beingchanged, network connection is being established, etc.Application and object description. This section contains information about an application (itsname, producer, path) and an object (fi le name, System Registry path, etc.).Action. Allows to specify which action to be taken by the Safe'n'Sec:

Allow - indicates that application's activity should be allowed. It is recommended to choose thisaction when dealing with well-known or trusted applications.Block - indicates that application's activity should be blocked. You are recommended to choosethis action whenever dealing with an application that is of unknown origin or it is not you whohas launched the application.

NOTE

If you fail to make a decision on what action should be taken in response to the Notification window

the Safe'n'Sec will block activities of the caused application and close the window.

Actions

Enable/Disable an activity for session1. In the Notification window click the Details l ink.2. Check the In this session checkbox in the appropriate group and click the Enable or Disable button.

The Safe'n'Sec will enable or disable the activity specified for as long as the current applicationsession.

For instance: an application tries to change a system file located within Windows system folder. The

Safe'n'Sec will notify you about an attempt to the this file only once and if you choose to disable the

activity all the subsequent attempts to change system files will be blocked. Next time when the

application tries to again change a system file the Safe'n'Sec will again notify you about such an

attempt.

Enable/Disable activity as a rule1. In the Notification window click the Details l ink.2. Check the Remember checkbox in the appropriate group and click either Enable or Disable button.

The Safe'n'Sec will remember your choice.

For instance: if an application tries to change a system file in the Windows system folder the

31Protection


Safe'n'Sec will notify you about such an attempt. If you choose to block such an action and specify to

Remember your choice the Safe'n'Sec will never ever let the application change system files in Window

system folder without even popping up the Notification window.

5 Scan

Computer scanning aims at detecting malicious code and is base on:

Anti-virus databases - the databases contain signatures of known viruses, trojan programs andother malicious objects.Spyware databases - these databases contain signatures of known spy-programs.The Rootkit Detector component is used to search for hidden objects (rootkits). A rootkit is aprogram or a set of programs that are used to hide malicious activities and artifacts of an intruderor a harmful program in the Operating System. A rootkit injects itself into Operating System anddisguises its existence and existence of processes, folders, System Registry keys belonging to othermalicious programs described in rootkit's configuration fi le.

The Safe'n'Sec compares the object it scans against records in its databases and if a match is found it

marks the object as malicious. This is a signature-based analysis. In order to detect hidden resources

all the processes running and system hooks are checked.

In order to perform a scan it is necessary to:

Include objects for scanning into the protection scope. Any object from the following l ist can bescanned: fi le system objects (logical drives and fi les), system memory, bootable sectors, etc. Bydefault all the objects are included into the scope.According to scan results it is required to make a decision regarding the threats found, if they havenot been neutralized.

It is recommended to perform scan

immediately after the Safe'n'Sec is installed onto the computer, provided that no other anti-virussoftware were previously installed.each time when application activity control is disabled and external storage (USB, CD, DVD, etc)were used or Internet connection has been established.

NOTICE

In order to be able to use anti-virus and spy databases an appropriate license is required.

IMPORTANT

For the Safe'n'Sec to be effective at malicious code search it is required to perform daily updates of its

anti-virus and spy databases. It is recommended to setup Daily automatic update.

32 Safe'n'Sec


Actions

Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.Stop scan1. Click the Stop scan button in the Scan section of the Control panel. Note that when scan is just

initializing it cannot be stopped.2. To examine the state of the scan click the Details l ink.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation


Manually treat threats1. Open the Program properties window from the program's context menu and select the Scan

section.or

Click the Settings l ink in the Scan section of the Control panel.

2. Check the Ask upon completion checkbox in order for the program to display a l ist of threatsfound as soon as a scan completes.or

3. Check the Ask action checkbox to instruct the Safe'n'Sec to ask you what to do each time a threat isfound.

4. Start scan.Scan all fi les/search for unknown threats1. Open the Program properties window from the program's context menu and select the Scan

section.or


2. Check the All files and Use heuristic analyzer checkboxes.3. Start scan.

Scan archives and e-mail databases1. Open the Program properties window form the program's context menu and select the Scan

section.or


2. Check the Archives and E-Mail databases checkboxes.3. Start scan.

Search for rootkits1. Open the Program settings window from the program's context menu and select the Scan section.

or


2. Check the Search for hidden resources checkbox.3. Start scan.

33Scan


5.1 Objects

You can specify the following objects to be scanned:

System memory - specifies scanning of all running processes.It is recommended to perform system memory scan each time daily and when new processes not started

by you appear.

Bootable sectors - specifies canning of disc bootable sectors.Objects in quarantine - specifies that objects moved to quarantine should be scanned.It is recommended to rescan objects on quarantine each time after a program update completes.

All removable drives - specifies that all fi le system objects on all removable drives are to be scanned.It is recommended to perform scan of removable drives each time when you plan to read or write files

from or to such drives or run a program from a removable media.

All hard drives - specifies all the fi le system objects on all hard drives.My computer - specifies that all fi le system objects on the computer are to be scanned.Trash - specifies that all deleted fi le system objects are to be scanned.My documents - specifies that your documents are to be scanned.Desktop - specifies that all fi le system objects residing on the desktop are to be scanned.

Actions

Start scan1. Specify one or more objects in the Scan section of the Control panel.2. Click the Start scan button.3. To examine the state of the scan click the Details l ink.

5.2 Scan results

When a malicious object is detected the Safe'n'Sec determines its type (a virus, a trojan program, a spy

program, etc.) and treats it in one of the following manners:

Treats or Deletes the infected object if treatment is impossible.Postpones treatment of the objects detected until the scan completes. The Safe'n'Sec will notify youwith the l ist of detected threats upon scan completion and will ask you to treat them manually.Asks action each time a threat is detected:

Treat - means that the Safe'n'Sec will try to treat the threat or delete it if treatment is notpossible, or terminate a malicious process.It is recommended to perform this action when your data or your program has been modified by a

malicious program.

Delete - means to delete an infected fi le or terminate a malicious process.It is recommended to perform this action when a malicious program (virus, trojan, spy program, etc.)

has been detected.

Move to quarantine - instructs the Safe'n'Sec to move an infected object to a special folder andblock it from execution.

34 Safe'n'Sec


This action is recommended whenever you suspect the Safe'n'Sec has found a malicious object.

Skip - tells the Safe'n'Sec not to take any steps to treat the object.

Actions

View threats found1. A l ist of all the threats detected is available only after a scan completes and contains log of all

the objects found since the Safe'n'Sec was installed.2. Click the Detected l ink in the Scan section of the Control panel.View scan report1. Click the Last scan l ink in the Scan section of the Control panel.2. To view previous scan reports you will have to navigate to the <product installation


Change action on threat found1. Open the Program settings window from the context menu and select the Scan section.

or


2. Check an appropriate checkbox in the Action group.

5.3 Threats detected

The Detected threats l ist contains information about malicious objects found supplied with actions

taken on such objects:

Date - specifies the date and time when a malicious object was found.Object - specifies the name of the object and its path:

File name.Process name in memory.Bootable sector.

Path - specifies the full path to the object.Detected - specifies the name of the malicious object.Status - indicates the status of the object:

Detected - indicates that a malicious object is detected.Treated - indicates that the malicious object has been disinfected.Deleted - indicates that the malicious object has been deleted.Moved to quarantine - indicates that the malicious object has been moved to quarantine folder.Cannot be treated - indicates that the object cannot be treated.It is recommended to try to delete the object.

Cannot be deleted - indicates that an error has occurred at an attempt to delete the object.

In such a case it is recommended to terminate the process and block the object.

Cannot move to quarantine - indicates that an error occurred when the Safe'n'Sec tried to movethe object to quarantine folder.

In such a case it is recommended to terminate the process and block the object.

35Scan


Treat - means to treat the object.Delete - means to delete the malicious objects.Move to quarantine - means to move the malicious objects to a special quarantine folder.

NOTICE

The list of threats found is available only after a scan completes. The list contains the entire history about

all the threats detected from the moment the Safe'n'Sec was installed.

Actions


section.or




4. Start scan.Send detected threats to Support for analysis1. Select objects in the Threats found l ist.2. Select the Send command from the l ist's context menu. The Safe'n'Sec will create an e-mail with

the information required by the company's Support service and open it in the default e-mailclient.

3. Post the e-mail.Obtain information about the object detected1. Select objects in the Threats found l ist.2. Select the Info <object name> command form the l ist's context menu. The Safe'n'Sec will popup the

default web browser with the l ist of resources containing information about the object displayed.3. Select the Open file's folder item from the l ist's context menu to search for the fi le on the

computer.

6 Program update

During the update process the Safe'n'Sec checks for new update, calculates their amount, download and

install them:

Program modules updates improve functionality of the Safe'n'Sec and add new, introduce bug fixes.Anti-virus databases updates add new records to the anti-virus signature databases of theSafe'n'Sec. These databases are used by the program when it scans the computer.Spy programs databases updates add new records to the spy programs databases of the Safe'n'Sec.Application control policies updates bring new activity rules.

36 Safe'n'Sec


What kind of updates are available to you is determined by the l icense you have that describes whichcomponents are available.

For instance, if the license includes the Safe'n'Sec Core only the update process will not check for anti-virusand spy databases updates and therefore these databases will not be installed onto the computer.

IMPORTANT

The Safe'n'Sec uses special company's update servers. For an update to succeed an Internet connection is

required. By default Internet connection parameters are detected automatically. If you connect to the

Internet via a proxy server and the Safe'n'Sec is unable to automatically detect proxy's settings, please,

do set up network connection parameters.

NOTE

Certain updates of program modules may require system restart.

Actions

Start update1. Click the Start update button in the Update section of the Control panel.2. To view the state of the update process click the Details l ink.

Interrupt update1. Click the Stop update button in the Update section of the Control panel. The update process can

actually be stopped only at the phase when either updates are being downloaded or installed.2. To view the state of the update process click the More l ink.View update report1. Click the Installed updates l ink in the Update section of the Control panel.2. To view reports on previous updates you will have to navigate to the product installation

directory\Reports folder and open a update<update date and time>.txt fi le.Setup network connection1. Open the Program settings window from the context menu and select the Update section.

or

Click the Settings l ink in the Update section of the Control panel.

2. Check the Use proxy server checkbox.3. Provide the IP address or DNS name of the proxy server and its port (defaults to 80) in the

corresponding fields.4. Check the Use proxy server authorization checkbox if authorization is required. Provide user name

and password in the corresponding fields.Setup automatic update1. Open the Program settings window from the program's context menu and select the Update

section.or

Click the Settings l ink in the Update section in the Control panel.

2. Check the Update automatically checkbox.3. Check the Ask for confirmation checkbox in order for the program to ask you a permission to start

update process and you will be able to disallow an update.4. Specify how often should the program update itself in the Check for updates l ist. If you use Anti-

Virus or Anti-Spyware components you are recommended to specify Daily updates.

37Program update


5. The Next update field will show the time when the program will next update itself.

7 Settings

The Settings window provides you with quick l inks to the main settings of the Safe'n'Sec and contains

the following sections:

Activity control al lows you to specify settings of application activity control, learing mode andactivity policies.Scan al lows you to change settings of malicious code search.Updates al lows to modify settings of program's updates.Interface al lows you to customize program's interface, set password protection and specify regionallanguage.Reports al lows you to customize how reports are formed.Notifications helps tuning the notification system.Restore deals with settings regarding saving and restoring program's settings.

The program's settings are also reachable from corresponding sections of the Control panel and context

menu of the program.

Actions

Restore program's settings1. Open the Program settings window from the program's context menu.2. Click the Default button in order to restore only the default settings.or

1. Open the Program settings from the program's context menu and select the Settings restore.2. Specify the date of the settings backup and click the Restore button.

7.1 Activity control

When the Safe'n'Sec is installed the following control parameters are set:

Protection mode: Enabled.File system: Enabled.System Registry: Enabled.Network: Enabled.

Learning mode: Enabled.Learning mode will finish if no new activity for: 1 day.

38 Safe'n'Sec


Actions

Stop protection1. Open the Program settings window from the program's context menu and select the Activity

control section.or


2. Uncheck the Enable checkbox to in order for the program to stop protecting all Common rules.or

Click the Setup button in the Protection mode group and uncheck a checkbox of a protection

scope to tell the program stop controll ing this particular type of application activities.

Start Learning mode1. Open the Program settings window from the program's context menu and select the Activity

control section.or


2. Check the Learning mode checkbox.3. Click the Settings button in the Protection mode group and specify the number of days the mode

should be active in case you need to prolongate this phase. Default is 5 days.

NOTE

The Learning mode can have limited period of activity. If no unknown to the Safe'n'Secsoftware or no new activities of such software is detected for a certain period of time theSafe'n'Sec will automatically finish the Learning mode.

Change application control policy1. Open the Program settings window from the program's context menu and select the Activity

control section.or


2. Click the Settings button in the Application control policies group.

Change application properties1. Open the Program settings window from the program's context menu and select the Activity

control section.2. Click the Settings button in the Application control policies group.3. In the window opened select the Applications tab.4. Specify an application in the l ist and click the Properties l ink.

or

5. Click the Registered applications l ink in the Status section of the Control panel.6. Specify an application in the l ist and click the Properties l ink.

39Settings


7.2 Scan

When the Safe'n'Sec is installed the following scan parameters are set:

Action: Disinfect, Delete if disinfection fails.Scan files: executable fi les only.Compound objects scan: DisabledScan method: Disabled.

Actions


section.or




4. Start scan.Scan all fi les/search for unknown threats1. Open the Program properties window from the program's context menu and select the Scan

section.or


2. Check the All files and Use heuristic analyzer checkboxes.3. Start scan.

Scan archives and e-mail databases1. Open the Program properties window form the program's context menu and select the Scan

section.or


2. Check the Archives and E-Mail databases checkboxes.3. Start scan.

Search for rootkits1. Open the Program settings window from the program's context menu and select the Scan section.

or


2. Check the Search for hidden resources checkbox.3. Start scan.

40 Safe'n'Sec


7.3 Updates

When the Safe'n'Sec is installed the following properties of the update process are defined:

Automatic update: Disabled.Prompt for confirmation prior to updating: Disabled.Check for updates:

daily - used by the Safe'n'Sec Core (Core) component.monthly - used by Anti-Virus (AV) or Anti-Spyware (AS) components.

Use proxy server: Disabled. Internet connection properties are copied from the default web browserinstalled on the computer, for instance - from the Microsoft Internet Explorer.

Actions

Setup network connection1. Open the Program settings window from the context menu and select the Update section.

or

Click the Settings l ink in the Update section of the Control panel.

2. Check the Use proxy server checkbox.3. Provide the IP address or DNS name of the proxy server and its port (defaults to 80) in the

corresponding fields.4. Check the Use proxy server authorization checkbox if authorization is required. Provide user name

and password in the corresponding fields.Setup automatic update1. Open the Program settings window from the program's context menu and select the Update

section.or

Click the Settings l ink in the Update section in the Control panel.

2. Check the Update automatically checkbox.3. Check the Ask for confirmation checkbox in order for the program to ask you a permission to start

update process and you will be able to disallow an update.4. Specify how often should the program update itself in the Check for updates l ist. If you use Anti-

Virus or Anti-Spyware components you are recommended to specify Daily updates.5. The Next update field will show the time when the program will next update itself.

7.4 Interface

When the Safe'n'Sec is installed the following properties of its interface are defined:

Show icon in tray: On.Enabled sounds: On.Protect settings with password: Disabled.

Actions

Disable tray icon

41Settings


1. Open the Program settings window from the program's context menu and select the Interfacesection.

2. Uncheck the Show tray icon checkbox.Disable sounds1. Open the Program settings window from the program's context menu and select the Interface

section.2. Uncheck the Use sounds checkbox.Password protect settings1. Open the Program settings window from the program's context menu and select the Interface

section.2. Check the Protect with password checkbox and provide password in the corresponding field.

IMPORTANT

It is not possible to recover your lost password. If you forget your password you will not be able to

change program settings and will have to reinstall the Safe'n'Sec.

7.5 Reports

When the Safe'n'Sec is installed the following properties of reports are defined:

Create reports: All.Time to keep reports: 5 days.

The program prepares the following types of reports:

System report contains data about the program's execution, exceptions, warnings about activitypolicy violation. A text fi le with the name system_date_time.txt template is created each time theprogram starts.Updates contains data regarding the update process. A text fi le with the name update_date_time.txttemplate is created each time an update process starts.Scan report contains data regarding the scanning process. A text fi le with the name scan_date_time.txt is created each time a scan starts.Threats report contains data about threats detected. A text fi le with the name threats.xml isrecreated each time the computer is scanned.

All the reports are saved to the <product installation directory>\Reports folder.

Actions

Disable reports1. Open the Program settings window from the program's context menu and select the Reports

section.2. Uncheck the Create reports checkbox.

or

3. Uncheck a checkbox of a required type of reports. The Safe'n'Sec will stop creating reports of thespecified type.

Change how long reports are to be kept

42 Safe'n'Sec


1. Open the Program settings window from the program's context menu and select the Reportssection.

2. Specify the number of days reports are to be kept in the corresponding field.

Remove all reports1. Open the Program settings window from the program's context menu and select the Reports

section.2. Click the Clear button3. Delete all fi les from the <product installation directory>\Reports.

7.6 Notifications

When the Safe'n'Sec is installed the following notification properties are defined:

Show notifications: All.

When the program generates an event i t displays specia l noti fi cation windows. Depending on the

seriousness of an event a noti fi cation can be one of the fol lowing origins :

Protection status - indicates that protection status has changed or there are errors in protectioncomponents.Program update - indicates that errors in program update process are thrown.Computer scan - indicates that new threats have been detected or there are errors in the scanningprocess.Learning mode - used during creating of application activity rules.Reports - used when automatically deleting reports.License - used to notify you about the state of the l icense or when the l icense expires.

Actions

Disable notifications1. Open the Program settings window from the program's context menu and select the Notifications

section.2. Uncheck the Show notifications checkbox

or

3. To disable showing a notification of a specific origin uncheck the corresponding checkbox.

7.7 Program recovery

When the Safe'n'Sec is installed backup copies of program settings and activity policies are created. If

the program or other applications fault you are able to restore the settings and policies from these

backups.

43Settings


Actions

Save program state1. Open the Program settings window from the program's context menu and select the Recovery

section.2. Click the Save button.

Recover program1. Open the Program settings window from the program's context menu and select the Recovery

section.2. Specify the recovery point marked with the Program setup in order for the Safe'n'Sec to restore its

settings as they were when the program was first installed.or

3. Specify the recovery point of a certain date in order for the Safe'n'Sec to restore its settings tothose saved on the specified date.

4. Click the Recover button.

IMPORTANT

Program recovery completely rewrites current settings and all the data concerning application

activities. It is not possible to merge data of the current settings and activity log with the backup data.

8 S.N.Safe'n'Software

S.N.Safe & Software Ltd. is the company-developer of information security solutions for personal users

and business and corporate clients.

S.N.Safe & Software Ltd. was founded in 2006 in Moscow as a result of Safe'n'Sec project spin-off from

StarForce Technologies.

In 2003 StarForce’s developers decided to use their experience of anti-hacker measures for development

of computer protection systems, particularly Host-based Intrusion Prevention Systems, based on

proprietary Safe'n'Sec technology.

Safe'n'Sec HIPS version for individual PC protection was released in October 2004. Idea to begin from

the product for PC users was proved with the novelty of behavior analysis technology for Russian IT-

market. It was decided to check the technology’s reliabil ity on a mass basis with the help of non-

advanced users. Autumn, 2004, a new version was presented to Softool exhibition’s visitors; there we

got a lot positive users comments.

44 Safe'n'Sec


In 2005 we presented our novelty to foreign IT-market at the global ICT fair CeBIT 2005, Germany. In

2005 Safe'n'Sec Business version was developed considering special needs of SMB networks. In the

same time Panda released its TruePrevent, a first analog of our product.

In 2006 we presented Safe'n'Sec Enterprise for large corporate networks at Softool in Russia, and at

Systems in Munich, Germany. This version especially developed for efficient protection of corporate

networks of more then 1 000 work stations.

In 2006 we released a special version Safe'n'Sec Timing the system for control of applications activity

and users actions in corporate network. Host Intrusion Prevention Systems became the accepted

Information security technology.

In 2007 the company released Safe'n'Sec Pro providing the constant and reliable PC protection from

known and unknown threats and vulnerabil ities. At that time our main competitors released their first

solutions in this sphere. In the end of 2007 basing on Safe'n'Sec Pro we released a new corporate

version Safe'n'Sec Enterprise Pro.

In company’s plans for near future development of technologies including into complex protection

system Safe'n'Sec, and release of solutions for other OS (Linux, Apple).

Index 45


Index

Activity policy 37

Application control policies 8, 16

Application properties Common 26

Log 27

Restrictions 28

Ask user when complete 9

Ask user when detected 9

Automatic 10

Automatic update 40

Change application control policy 37

Change program settings 37

Change report l ifetime 41

Computer scan Anti-virus 31

Change threat response 33

Interrupt scan 31

Manually treat threats 34

Obtain information about the object found 34

Protection scope 33

Rootkit 31

Scan archives and e-mail bases 31

Scan results 33

Send objects found to Support 34

Start scan 31

Threats found 34

View scan report 31, 33

View threats found list 33

Context menu 7

Control panel 8

Custom rules 28

Delete all reports 41

Disable notifications 42

Disable sounds 40

Enable learning mode 37

Enable protection 37

Enable reports 41

Hide tray icon 40

Last scan 9

Last search for updates 10

Learning mode 37

Make decision on threats found 39

malicious code 4

No threats found 9

Notifications 28Policy violation 30

Unknown application launch 29

On demand 10

Processes and applications Application's properties 25

Program recovery 42

Program settings 37

Program update 40Automatic update 35

Interrupt update 35

Setup automatic update 35

Setup network connection 35

Start update 35

View update report 35

Safe'n'Sec46


Protect settings with password 40

Protect with password 40

Protection status 8

Quarantine 9

Restore program settings 37, 42

Safe'n'Soft 43

Scan 9

Scan all fi les/unknown threats 39

Scan archives and e-mail bases 39

Scan for rootkits 39

Scan has never been conducted 9

Scan is unavailable 9

Scan took place long ago 9

Setup automatic update 40

Setup network connection 40

Startup mode Automatic 10

Threat response 9

Threats found 39

Unknown application 28

Untreated threats exist 9

Updates are out of date 10

Updates are unavailable 10

Updates are up to date 10

Updates installed 10

What is Safe'n'Sec 4

Documents

2 Table of Contents Person… · 2 Safe'n'Sec © 2010 S.N.Safe & Software Ltd. Table of Contents 0 Chapter I Introduction 4 1 What is Safe'n'Sec ..... 4