Client-settings - Monitor
The Monitor panel allows you to configure the most important aspects of client protection. The monitor should not be disabled, as it provides real-time protection against malware. It is therefore recommended that the monitor is only switched off if there is a justified reason for doing so, e.g. error detection or troubleshooting. It is possible to define exceptions for the monitor. If an application suffers from performance loss due to use of the monitor, exceptions can be added for the relevant program files or processes; excluded files are then no longer checked by the monitor. Setting up monitoring exceptions can represent a security risk.
Monitor settings can be used to configure the monitor and define exceptions.
- Monitor status: Switch the monitor on or off. In general you should leave the monitor switched on, as it is the foundation of permanent and uninterrupted virus protection.
- Use engines: The G DATA software works with two independently operating virus scanning engines. Using both engines guarantees optimum results for preventing viruses. Using just one engine can have performance advantages.
- Reaction to infected files: Specify the action to be taken if an infected file is detected. There are various options that may or may not be suitable, depending on what the respective client is used for:
- Block file access: Neither read nor write access will be granted for an infected file.
- Disinfect and move to quarantine: The file is moved to quarantine and an attempt is made to remove the virus.
- Move file to quarantine: The infected file is moved to quarantine. The system administrator can then try to manually disinfect the file.
- Delete infected file: This function serves as a strict measure for effectively containing a virus. In the rare case of a false-positive virus message, this may lead to data loss.
- Infected archives: Specify here how infected archives are to be treated. When specifying these settings, you should bear in mind that a virus in an archive will only be harmful when it is unpacked from the archive.
- Scanning mode: Define when files should be scanned. Read access scans every file directly when it's read. Read and write access adds a scan on writing, to protect against viruses that are copied from another possibly unprotected client or from the Internet. On execution scans files only when they are executed.
- Monitor network access: Enable network access monitoring.
- Heuristics: Through heuristic analysis, viruses are not only detected on the basis of the constantly updated virus databases, but also on characteristics typical of viruses. This method provides additional security, but may also produce a false alarm in rare cases.
- Check archives: Checking compressed data in archives is a very time-consuming process and can generally be omitted if the G DATA virus monitor is always enabled on your system. The monitor can detect a previously hidden virus while the archive is being unzipped and can automatically prevent it from spreading. To avoid decreasing performance with unnecessary checks of large archive files that are rarely used, you can set a size limit (number of kilobytes) for archives that should be checked.
- Check email archives: This option should generally be disabled, as scanning email archives takes a long time, and if an infected email is found, the entire mailbox is moved to quarantine or deleted - depending on the virus scan settings. Email in the mail archive may no longer be available in such a case. As the monitor also blocks execution of email attachments, disabling this option does not create a security hole. Moreover, when using Outlook, incoming and outgoing mails are scanned using an integrated plug-in.
- Check system areas on startup/Check system areas on media change: System areas (such as boot sectors) in your computer should be included in virus checks. Here, you can specify whether these should be checked on system start-up and/or whenever a media change occurs (new DVD, etc.). Generally, you should have at least one of these two functions activated.
- Check for dialers / spyware / adware / riskware: You can use the G DATA software to check your system for dialers and other malware programs (spyware, adware, riskware). This includes programs that establish unrequested expensive Internet connections and are potentially every bit as damaging as a virus in terms of economical impact. For example, spyware can silently record end user surfing behavior or keystrokes (including passwords) and forward this to third parties via the Internet.
- Notify user when a virus has been found: If this option is enabled, when a virus is found by the monitor, a notification window is displayed, informing the user that a virus has been found on the system. The file that has been found, its path and the name of the malware found are displayed.
Under Exceptions, you can exclude specific directories from virus checks, for example to omit folders with archives that are seldom used in order to integrate them into a special scan job. Files and file types can also be excluded from the virus check. The following exceptions can be configured:
- Directory: Select a folder (including any subfolder contained within it) that you do not want to be checked by the monitor.
- Drive: Select a drive (partition, hard disk) that you do not want to be checked by the monitor.
- File: Enter the name of a file that you do not want to be checked by the monitor. You can use wildcards.
Wildcards work as follows: the question mark symbol (?) represents individual characters. The asterisk symbol (*) represents entire character strings. For instance, in order to exclude all files with the file extension exe, enter *.exe. To exclude files with different spreadsheet formats (e.g. .xls, .xlsx), simply enter *.xls?. Or, to exclude files of various types that have identical initial file names, enter (e.g.) text*.*. This would involve files called text1.txt, text2.txt, text3.txt, etc.
- Process: If a specific process should not be monitored by the monitor, enter the complete path and filename of the process (e.g. :\Windows\system32\cmd.exe).
You can repeat this procedure as many times as you wish, and you can delete or modify the existing exceptions in the Exceptions window.
Behavior monitoring provides further protection against malicious files and processes. Unlike the monitor, it is not signature-based, but analyzes the actual behavior of a process. To undertake a classification, behavior monitoring uses various criteria, such as write access to the registry and the possible creation of auto-start entries. If sufficient criteria lead to the conclusion that a program is exhibiting suspicious behavior, the action set under If a threat is detected will be carried out. The options Log only, Halt program, and Halt program and move to quarantine are available here.
Whenever behavior monitoring carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.
Exploits specifically look for vulnerabilities in third party software on the client. ExploitProtection constantly checks the behavior of the installed software for irregularities. If any unusual behavior is detected in a software process, the action that has been defined under If an exploit is detected is carried out: Log only or Prevent execution. If Notify user if an exploit is detected has been enabled, the user will also receive a notification.
Whenever ExploitProtection carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.
USB Keyboard Guard
USB Keyboard Guard protects clients against BadUSB attacks. Maliciously reprogrammed USB devices, such as cameras, USB sticks or printers, can act as keyboards when they are plugged in to a computer. To prevent those devices from automatically carrying out unauthorized commands, USB Keyboard Guard will ask the user for confirmation if it detects a USB device that identifies itself as a keyboard. If the user indeed plugged in a keyboard, it can be safely authorized. If the device identifies itself as a keyboard but the user plugged in something else, it should not be authorized, as it may be malicious.
Regardless of the user's decision, a report will be added to the Security events tab. If a device has been authorized, the administrator can decide to block it nonetheless by right-clicking on the report and revoking the authorization.
Whereas regular malware infects devices to use them as part of a botnet or to steal credit card information, ransomware developers try to make money by extorting the user directly. In order to extract a ransom, ransomware locks the device or even encrypts data until the victim pays up. In addition to signature- and behavior-based detection, the Anti-Ransomware function detects the specific actions of ransomware, such as file encryption, and blocks them before it can do any more harm. When ransomware is detected, the action set under In case of a threat will be carried out. The options Log only and Move to quarantine are available. If Notify user in case of a threat has been enabled, the user will also receive a notification.
Whenever Anti-Ransomware carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.