Kaspersky Lab WorkSpace Security EU ED, 10-14u, 3Y, RNW KL4851XAKTR User Manual
Product codes
KL4851XAKTR
U
S E R
G
U I D E
74
Typical activity of such programs includes the following:
actions typical of a malicious object penetrating and implanting in the system;
malicious actions as such;
actions typical of a malicious object spreading.
Keyloggers
Keylogger is a program that intercepts each keypress at the keyboard. Such a malicious program can send any
information entered at the keyboard (logins, passwords, credit card numbers) to an intruder. However, keypress
interception may be used by common legal programs. An example of such programs is a video game that has to
intercept data entered at the keyboard to be aware of keys being pressed by the user, when functioning in full-screen
mode. Also, keypress interception is often used to activate a program's function from another program using
"hotkeys".
information entered at the keyboard (logins, passwords, credit card numbers) to an intruder. However, keypress
interception may be used by common legal programs. An example of such programs is a video game that has to
intercept data entered at the keyboard to be aware of keys being pressed by the user, when functioning in full-screen
mode. Also, keypress interception is often used to activate a program's function from another program using
"hotkeys".
Hidden driver installation
Hidden driver installation is a process of installing a malicious program's driver in order to obtain low-level access to
the operating system which may allow concealing the malicious program persisting in the system and complicating
its removal. Hidden installation process can be detected using common means (such as Microsoft Windows Task
Manager), but since no standard installation windows appear during the driver installation, the user can hardly
suspect that he or she should track the processes running within the system.
the operating system which may allow concealing the malicious program persisting in the system and complicating
its removal. Hidden installation process can be detected using common means (such as Microsoft Windows Task
Manager), but since no standard installation windows appear during the driver installation, the user can hardly
suspect that he or she should track the processes running within the system.
However, in some cases Proactive Defense may return a false alert. For example, the most recent video games are
protected against unauthorized copying and distribution. With that end in view, they install system drivers on the
user's computer. Such activities may be classified as "hidden driver installation" in some cases.
protected against unauthorized copying and distribution. With that end in view, they install system drivers on the
user's computer. Such activities may be classified as "hidden driver installation" in some cases.
Modifying the operating system kernel
The operating system kernel grants the applications running on the computer a coordinated access to the computer's
resources: CPU, RAM, and external hardware. Some malicious programs can attempt to change the operating
system kernel's logic, by redirecting queries from standard drivers to itself. When malicious programs obtain the low-
level access to the operating system in that way, they attempt to conceal their presence and complicate the process
of removing them from the system.
resources: CPU, RAM, and external hardware. Some malicious programs can attempt to change the operating
system kernel's logic, by redirecting queries from standard drivers to itself. When malicious programs obtain the low-
level access to the operating system in that way, they attempt to conceal their presence and complicate the process
of removing them from the system.
An example of a false alert returned by Proactive Defense is the component's reaction to certain encryption systems
designed for hard disk drives. Those systems designed to ensure comprehensive data protection install a driver into
the system, implanting into the operating system kernel in order to intercept queries to the files on the hard drive, and
to perform encryption/decryption operations.
designed for hard disk drives. Those systems designed to ensure comprehensive data protection install a driver into
the system, implanting into the operating system kernel in order to intercept queries to the files on the hard drive, and
to perform encryption/decryption operations.
Hidden object / Hidden process
Hidden process is a process that cannot be detected by common means (such as Microsoft Windows Task Manager,
Process Explorer, etc.). Rootkit (i.e. "kit designed to obtain root privileges") is a program or a collection of programs
for the hidden control of a hacked system. This term has been imported from Unix.
Process Explorer, etc.). Rootkit (i.e. "kit designed to obtain root privileges") is a program or a collection of programs
for the hidden control of a hacked system. This term has been imported from Unix.
In the scope of Microsoft Windows, rootkit usually means a masking program that implants into the system,
intercepts and falsifies system messages containing the information about the processes running in the system and
about the content of folders on the disk drive. In other words, a rootkit functions similarly to a proxy server, as it lets
certain data flow intact while blocking or falsifying the rest of data. Also, a rootkit can usually mask the presence of
any processes, folders and files stored on a disk drive, and registry keys, if they are described in its configuration.
Many masking programs install their own drivers and services into the system, making them "invisible" both to
system management tools (such as Task Manager or Process Explorer), and to anti-virus applications.
intercepts and falsifies system messages containing the information about the processes running in the system and
about the content of folders on the disk drive. In other words, a rootkit functions similarly to a proxy server, as it lets
certain data flow intact while blocking or falsifying the rest of data. Also, a rootkit can usually mask the presence of
any processes, folders and files stored on a disk drive, and registry keys, if they are described in its configuration.
Many masking programs install their own drivers and services into the system, making them "invisible" both to
system management tools (such as Task Manager or Process Explorer), and to anti-virus applications.
A particular case of hidden process is an activity consisting in attempting to create hidden processes with negative
PID values. PID is the personal identification number that the operating system assigns to each running process. PID
is unique for each running process, it is only static for each one in the current session of the operating system. If the
PID of a process has a negative value, this process is hidden, so it cannot be detected using common means.
PID values. PID is the personal identification number that the operating system assigns to each running process. PID
is unique for each running process, it is only static for each one in the current session of the operating system. If the
PID of a process has a negative value, this process is hidden, so it cannot be detected using common means.
An example of a false alert is the triggering of Proactive Defense reacting to gaming applications which protect their
own processes against hacking utility tools designed to evade license restrictions or cheat.
own processes against hacking utility tools designed to evade license restrictions or cheat.