Module Client settings
The Client settings module manages settings for individual clients or groups of clients. Using the General, Monitor, Email, Web and AntiSpam options you can extensively configure protection for network clients.
Client settings - General
The General tab allows you to configure general settings for the selected clients.
G DATA Security Client
The G DATA Security Client section covers basic client functionality.
- Note: Enter any notes or remarks that apply to this client.
- Tray icon: Choose when the client icon should be displayed in the system tray: Never, Display in first session only (for terminal servers and Windows Fast user switching) or Always display (in all sessions). If the icon is not displayed, the functionality of Security Client is severely limited (for example, Idle scan cannot be used and the user has no access to the Client functions).
- Assigned to: By default, clients are assigned to the main ManagementServer. The dropdown list displays the main ManagementServer and its subnet servers and can be used to quickly assign a client to a specific (subnet) server.
The Updates section lets you define virus signature and program file update settings.
- Update virus signatures automatically: Enables automatic updating of the virus signatures. At every synchronization interval the clients check whether new virus signatures exist on the G DATA ManagementServer. If new virus signatures are available, they are automatically installed on the client.
- Update program files automatically: Enables automatic updating of the program files. At every synchronization interval the clients check whether updated program files exist on the G DATA ManagementServer. If updated program files are available, they are automatically installed on the client. A client reboot may be necessary after the update. Dependent on the setting under Reboot after update, the client user has the option of postponing the completion of the update.
- Reboot after update: Select Open message box on client to inform a user that they should restart their client computer at a convenient time. Create report will create a report in the Security events module, or select Force reboot to automatically force a restart.
- Participate in the Malware Information Initiative to improve detection rates: Enable participation in the Malware Information Initiative. The G DATA SecurityLabs continuously research new technologies to protect our customers against malware (viruses, worms and malicious programs). The more information is available, the higher the efficacy of the technologies. However, much information is available only on systems that have been attacked or infected. In order to include even such information in the analyses, the G DATA Malware Information Initiative was founded. In this context, alware-related information is sent to the G DATA SecurityLabs.
Signature update settings
Define where clients obtain their virus signature updates:
- Load signature updates from the ManagementServer: Clients will obtain virus signature updates from their ManagementServer. They will check for updates at every synchronization interval.
- Load online signature updates independently: Clients will obtain updates from the central G DATA update servers. The update check can be scheduled under Settings and scheduling.
- Load online signature updates independently, if no connection to the ManagementServer can be established: This option is recommended for mobile workstations such as laptops. When the client has a connection to the ManagementServer, it will download its updates from there. If there is no connection to the ManagementServer, the virus signatures are automatically downloaded from the G DATA update servers. The update check can be scheduled under Settings and scheduling.
Specify which proxy settings the client or group should use.
If enabled, the user can use their own proxy settings, but this should only be allowed in exceptional cases. Enabling the option may compromise the security of the client.
The proxy server can also be configured differently from the system-wide settings without applying the user's proxy settings.
Under Client functions, you can set permissions for local users to change Security Client settings. User rights can be very extensive or restrictive, as your network policy demands.
- Allow the user to run virus checks: In case of a suspected virus infection, the user can run a local virus check, independent of the ManagementServer schedule. Results of this virus check will be transferred to the ManagementServer during the synchronization. Additionally, this lets users change settings for local virus checks.
- Allow the user to download signature updates: If you enable this function, the user of the client computer is allowed to download virus signatures over the Internet, without connecting to the ManagementServer. This is especially important if the client has a laptop that is often used outside the network perimeter.
- Allow the user to change monitor options: If this function is enabled, the client user has the option to change the Monitor settings.
- Allow the user to change email options: If this function is enabled, the client user has the option to change the Email and AntiSpam settings.
- Allow the user to change web options: If this function is enabled, the client user has the option to change the Web settings.
- Allow the user to display the local quarantine: If you allow the local quarantine to be displayed, the user can, if necessary, disinfect, delete or restore data that was moved into quarantine. In doing so, note that a virus is not removed by restoring a file from quarantine. This option should therefore only be made accessible to experienced users.
- Protect client settings with a password: To prevent improper manipulation of local settings, there is the option of only permitting options to be changed when a password is entered. This allows you, for example, to prevent end users from changing settings. The password is set specifically for the selected client or group and it should only be shared with authorized users.
You can define exceptions that are not to be checked during the execution of scan jobs. Archives and restore partitions, for example, can be defined as exception directories. You can also define file extensions as exceptions. Exceptions can be defined for complete groups. If the clients in a group have defined different exception directories, new directories can be added or existing ones can be deleted. The directories specially defined for individual clients are preserved. The same procedure also goes for monitor exceptions.
To allow the client to perform a virus scan when the computer is idle, tick Idle scan enabled. By clicking the Edit button, you can define the scan scope, which includes all local hard drives by default.
Client-settings - Monitor
The Monitor panel allows you to configure the most important aspects of client protection. The monitor should not be disabled, as it provides real-time protection against malware. It is therefore recommended that the monitor is only switched off if there is a justified reason for doing so, e.g. error detection or troubleshooting. It is possible to define exceptions for the monitor. If an application suffers from performance loss due to use of the monitor, exceptions can be added for the relevant program files or processes; excluded files are then no longer checked by the monitor. Setting up monitoring exceptions can represent a security risk.
Monitor settings can be used to configure the monitor and define exceptions.
- Monitor status: Switch the monitor on or off. In general you should leave the monitor switched on, as it is the foundation of permanent and uninterrupted virus protection.
- Use engines: The G DATA software works with two independently operating virus scanning engines. Using both engines guarantees optimum results for preventing viruses. Using just one engine can have performance advantages.
- Reaction to infected files: Specify the action to be taken if an infected file is detected. There are various options that may or may not be suitable, depending on what the respective client is used for:
- Block file access: Neither read nor write access will be granted for an infected file.
- Disinfect and move to quarantine: The file is moved to quarantine and an attempt is made to remove the virus.
- Move file to quarantine: The infected file is moved to quarantine. The system administrator can then try to manually disinfect the file.
- Delete infected file: This function serves as a strict measure for effectively containing a virus. In the rare case of a false-positive virus message, this may lead to data loss.
- Infected archives: Specify here how infected archives are to be treated. When specifying these settings, you should bear in mind that a virus in an archive will only be harmful when it is unpacked from the archive.
- Scanning mode: Define when files should be scanned. Read access scans every file directly when it's read. Read and write access adds a scan on writing, to protect against viruses that are copied from another possibly unprotected client or from the Internet. On execution scans files only when they are executed.
- Monitor network access: Enable network access monitoring.
- Heuristics: Through heuristic analysis, viruses are not only detected on the basis of the constantly updated virus databases, but also on characteristics typical of viruses. This method provides additional security, but may also produce a false alarm in rare cases.
- Check archives: Checking compressed data in archives is a very time-consuming process and can generally be omitted if the G DATA virus monitor is always enabled on your system. The monitor can detect a previously hidden virus while the archive is being unzipped and can automatically prevent it from spreading. To avoid decreasing performance with unnecessary checks of large archive files that are rarely used, you can set a size limit (number of kilobytes) for archives that should be checked.
- Check email archives: This option should generally be disabled, as scanning email archives takes a long time, and if an infected email is found, the entire mailbox is moved to quarantine or deleted - depending on the virus scan settings. Email in the mail archive may no longer be available in such a case. As the monitor also blocks execution of email attachments, disabling this option does not create a security hole. Moreover, when using Outlook, incoming and outgoing mails are scanned using an integrated plug-in.
- Check system areas on startup/Check system areas on media change: System areas (such as boot sectors) in your computer should be included in virus checks. Here, you can specify whether these should be checked on system start-up and/or whenever a media change occurs (new DVD, etc.). Generally, you should have at least one of these two functions activated.
- Check for dialers / spyware / adware / riskware: You can use the G DATA software to check your system for dialers and other malware programs (spyware, adware, riskware). This includes programs that establish unrequested expensive Internet connections and are potentially every bit as damaging as a virus in terms of economical impact. For example, spyware can silently record end user surfing behavior or keystrokes (including passwords) and forward this to third parties via the Internet.
- Notify user when a virus has been found: If this option is enabled, when a virus is found by the monitor, a notification window is displayed, informing the user that a virus has been found on the system. The file that has been found, its path and the name of the malware found are displayed.
Under Exceptions, you can exclude specific directories from virus checks, for example to omit folders with archives that are seldom used in order to integrate them into a special scan job. Files and file types can also be excluded from the virus check. The following exceptions can be configured:
- Directory: Select a folder (including any subfolder contained within it) that you do not want to be checked by the monitor.
- Drive: Select a drive (partition, hard disk) that you do not want to be checked by the monitor.
- File: Enter the name of a file that you do not want to be checked by the monitor. You can use wildcards.
Wildcards work as follows: the question mark symbol (?) represents individual characters. The asterisk symbol (*) represents entire character strings. For instance, in order to exclude all files with the file extension exe, enter *.exe. To exclude files with different spreadsheet formats (e.g. .xls, .xlsx), simply enter *.xls?. Or, to exclude files of various types that have identical initial file names, enter (e.g.) text*.*. This would involve files called text1.txt, text2.txt, text3.txt, etc.
- Process: If a specific process should not be monitored by the monitor, enter the complete path and filename of the process (e.g. :\Windows\system32\cmd.exe).
You can repeat this procedure as many times as you wish, and you can delete or modify the existing exceptions in the Exceptions window.
Behavior monitoring provides further protection against malicious files and processes. Unlike the monitor, it is not signature-based, but analyzes the actual behavior of a process. To undertake a classification, behavior monitoring uses various criteria, such as write access to the registry and the possible creation of auto-start entries. If sufficient criteria lead to the conclusion that a program is exhibiting suspicious behavior, the action set under If a threat is detected will be carried out. The options Log only, Halt program, and Halt program and move to quarantine are available here.
Whenever behavior monitoring carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.
Exploits specifically look for vulnerabilities in third party software on the client. ExploitProtection constantly checks the behavior of the installed software for irregularities. If any unusual behavior is detected in a software process, the action that has been defined under If an exploit is detected is carried out: Log only or Prevent execution. If Notify user if an exploit is detected has been enabled, the user will also receive a notification.
Whenever ExploitProtection carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.
USB Keyboard Guard
USB Keyboard Guard protects clients against BadUSB attacks. Maliciously reprogrammed USB devices, such as cameras, USB sticks or printers, can act as keyboards when they are plugged in to a computer. To prevent those devices from automatically carrying out unauthorized commands, USB Keyboard Guard will ask the user for confirmation if it detects a USB device that identifies itself as a keyboard. If the user indeed plugged in a keyboard, it can be safely authorized. If the device identifies itself as a keyboard but the user plugged in something else, it should not be authorized, as it may be malicious.
Regardless of the user's decision, a report will be added to the Security events tab. If a device has been authorized, the administrator can decide to block it nonetheless by right-clicking on the report and revoking the authorization.
Whereas regular malware infects devices to use them as part of a botnet or to steal credit card information, ransomware developers try to make money by extorting the user directly. In order to extract a ransom, ransomware locks the device or even encrypts data until the victim pays up. In addition to signature- and behavior-based detection, the Anti-Ransomware function detects the specific actions of ransomware, such as file encryption, and blocks them before it can do any more harm. When ransomware is detected, the action set under In case of a threat will be carried out. The options Log only and Move to quarantine are available. If Notify user in case of a threat has been enabled, the user will also receive a notification.
Whenever Anti-Ransomware carries out an action, a report is added to the Security events tab. If a program has falsely been identified as a threat, the corresponding report can be used to create a whitelist entry. Whitelist entries can be viewed and removed by clicking Edit global whitelist.
Client-settings - Email
Virus protection for email can be set up on every G DATA Security Client. The default ports for the POP3, IMAP, and SMTP protocols will be monitored. Additionally, a special plugin for Microsoft Outlook automatically checks all incoming email for viruses and prevents infected email from being sent.
The Incoming email section defines options for scanning incoming emails.
- Reaction to infected files: Specify the action to be taken if an infected file is detected. There are various options here that may or may not be suitable, depending on what the respective client is used for.
- Check received email for viruses: By enabling this option, all emails that the client receives will be checked for viruses.
- Check unread email at program startup (Microsoft Outlook only): This option is used to scan emails for viruses that the client may receive while it is offline. All unread email in your Inbox folder and subfolders are checked as soon as you open Outlook.
- Attach report to received infected emails: As soon as one of the emails sent to the client contains a virus, you will receive the following message in the body of this email beneath the actual email text WARNING! This mail contains the following virus followed by the name of the virus. In addition, you will find a [VIRUS] notification before the actual subject. If you enabled the option Delete text/attachment, you will also be notified that the infected part of the email was deleted.
The Outgoing email section defines options for scanning outgoing emails.
- Check email before sending: To make sure that you do not send out any infected emails, the G DATA software offers the option of checking outgoing emails for viruses before sending them. If an email actually contains a virus, the message The mail [subject header] contains the following virus: [virus name] is displayed and the relevant email is not sent.
- Attach report to outgoing emails: A report is displayed in the body of each outgoing email below the actual mail text. It reads Virus checked by G DATA ANTIVIRUS, provided that you have enabled the Check email before sending option. G DATA engine version info and virus news can also be added (Engine version/Virus news).
The Scan options section configures the scan parameters for incoming and outgoing emails.
- Use engines: The G DATA software works with two independently operating virus scanning engines. Using both engines guarantees optimum results for preventing viruses. Using just one engine can have performance advantages.
- OutbreakShield: OutbreakShield detects and neutralizes threats from malicious programs in mass emails before the relevant up-to-date virus signatures become available. OutbreakShield uses the Internet to monitor increased volumes of suspicious emails, closing the window between a mass mail outbreak and its containment with specially adapted virus signatures, practically in real time. Under Edit, you can specify whether OutbreakShield uses additional signatures to increase detection performance. In addition, you can enter access data here for the Internet connection or a proxy server, which allows OutbreakShield to carry out an automatic signature download from the Internet.
The Warnings section configures warning messages for recipients of infected emails.
- Notify user when a virus has been found: Recipients of an infected message will automatically be notified through a virus warning pop-up.
Outlook protection enables email scans using an integrated plugin.
- Protect Microsoft Outlook with an integrated plugin: Activation of this function inserts a new function in the client's Outlook program under the Tools menu, called Scan folder for viruses. Regardless of the G DATA Administrator settings, an individual client user can scan the currently selected email folder for viruses. In the email display window, you can use Check email for viruses in the Tools menu to run a virus check of the file attachments. When the process has been completed, an information screen appears in which the result of the virus check is summarized. Here you can see whether the virus analysis was completed successfully, get information about the number of emails and attachments scanned and about any read errors, as well as any viruses found, and how they were dealt with.
By default, the standard ports for POP3 (110), IMAP (143) and SMTP (25) are monitored. If your system's port settings are different, you can customize the settings accordingly.
Outlook Protection enables email scans in Outlook using an integrated plug-in.
Protect Microsoft Outlook with an integrated plug-in: When this function is activated, a new function called Scan folder for viruses is added to the client's Outlook in the Tools menu.
Regardless of the G DATA Administrator settings, the user of the individual client can scan the currently selected mail folder for viruses. Right-click on the folder to be scanned. Select G DATA at the bottom of the menu and then Check for viruses.
Client-settings - Web
The Web panel allows you to define in-depth scan settings for internet traffic and online banking.
If you choose not to check Internet content, the Monitor will engage anyway when a user tries to access infected downloaded files. That means that the system on the respective client is also protected without checking Internet content, as long as the virus monitor is active.
Internet traffic (HTTP)
The section Internet traffic (HTTP) covers scan settings for HTTP traffic.
- Process Internet traffic (HTTP): HTTP web content is checked for viruses while browsing. Infected web content is not run at all and infected pages are not displayed. If the network is using a proxy to access the Internet, the server port the proxy is using must be entered. Web content control (available in G DATA Endpoint Protection Business) also uses these settings.
- Avoid browser timeout: Since G DATA software processes web content before it is displayed in the Internet browser, there will be a certain amount of latency, depending on the data traffic. It is possible for an error message to appear in the Internet browser because the browser does not receive data immediately. This error message can be suppressed by enabling Avoid browser timeout. As soon as all browser data have been checked for viruses, they will be transmitted to the Internet browser.
- Limit file size for downloads: You can disable the HTTP check for web content that is too large. The contents will still be monitored by the virus monitor to check if suspected malicious routines become active. The advantage of enabling the size limit is that there are no delays caused by virus checks when downloading large files.
- Global whitelist for web protection: Exclude certain web sites from the internet traffic check.
Banking trojans are becoming an ever greater threat. The BankGuard technology secures online banking by checking the validity of network libraries, to make sure the browser is not being manipulated by a banking trojan. This proactive protection works in more than 99% of the cases and even protects from unknown trojans. BankGuard should be activated for all clients that use Internet Explorer, Firefox, and/or Chrome.
Client-settings - AntiSpam
The AntiSpam module is available as part of the Client Security Business, Endpoint Protection Business and Managed Endpoint Security solutions.
If you check the option Use spam filter, client email traffic will be checked for possible spam mails. You can configure a warning message that will be added to the subject line when an email is identified as spam or falls under suspicion of being spam.
If the Microsoft Outlook plugin has been enabled, incoming spam mails will be moved to the AntiSpam folder. For other e-mail clients, spam mails can be automatically moved to a dedicated spam folder by defining a filter rule that matches the spam warning in the subject. To configure AntiSpam settings when using Microsoft Exchange, see Exchange settings > AntiSpam.