Kaspersky Lab WorkSpace Security EU ED, 10-14u, 3Y, RNW KL4851XAKTR User Manual
Product codes
KL4851XAKTR
P
R O A C T I V E
D
E F E N S E
75
Modifying HOSTS file
Hosts file is one of the most important system files of Microsoft Windows. It is designed to redirect access to web
resources by converting URL addresses into IP addresses not at DNS servers but strictly on a local computer. Hosts
file is a plain text file, where each line determines the matching between the symbol name (URL) of a server and its
IP address.
resources by converting URL addresses into IP addresses not at DNS servers but strictly on a local computer. Hosts
file is a plain text file, where each line determines the matching between the symbol name (URL) of a server and its
IP address.
Malicious programs often use that file for redetermining addresses of update servers for anti-virus applications to
block updates and prevent the detection of malicious programs with the signature method, and for other purposes.
block updates and prevent the detection of malicious programs with the signature method, and for other purposes.
Redirecting input-output
The essential weak point consists in running a command line with redirected input/output (usually, into the network),
which, as a rule, can be used to obtain remote access to the computer.
which, as a rule, can be used to obtain remote access to the computer.
A malicious object attempts to obtain access to the command line of a target computer, which will then be exploited
to execute commands. Access may usually be obtained after a remote attack and the launch of a script that uses this
vulnerability. The script runs the command line interpreter from the computer connected via TCP. As a result, the
intruder can manage the system remotely.
to execute commands. Access may usually be obtained after a remote attack and the launch of a script that uses this
vulnerability. The script runs the command line interpreter from the computer connected via TCP. As a result, the
intruder can manage the system remotely.
Intruding into a process / Intruding into all processes
There are many types of malicious programs that are masked as executable files, libraries or extension modules of
known programs, intruding into standard processes. So, an intruder can make a data loss on the user's computer.
Network traffic created by malicious code will not be filtered out by firewalls, since it is viewed by them as traffic
created by a program that has been granted Internet access.
known programs, intruding into standard processes. So, an intruder can make a data loss on the user's computer.
Network traffic created by malicious code will not be filtered out by firewalls, since it is viewed by them as traffic
created by a program that has been granted Internet access.
Trojans usually intrude into other processes. However, such activities are also typical of certain harmless programs,
update packages, and installation wizards. For example, translation programs intrude into other processes to track
the presses of hotkeys.
update packages, and installation wizards. For example, translation programs intrude into other processes to track
the presses of hotkeys.
Suspicious access to the registry
Malicious programs modify the registry in order to record themselves for autorun at the operating system startup,
change the home page in Microsoft Internet Explorer, and take many other destructive actions. However, please
note that the system registry may also be accessed by common programs. For example, common programs may
use the option of creating and exploiting hidden registry keys to conceal their own confidential information (including
license information) from the user.
change the home page in Microsoft Internet Explorer, and take many other destructive actions. However, please
note that the system registry may also be accessed by common programs. For example, common programs may
use the option of creating and exploiting hidden registry keys to conceal their own confidential information (including
license information) from the user.
Malicious programs create hidden registry keys that are not displayed by common programs (regedit-type). Keys
with invalid names are created. This is done in order to prevent the registry editor against displaying those values,
which results in complicating the diagnostics of malware presence within the system.
with invalid names are created. This is done in order to prevent the registry editor against displaying those values,
which results in complicating the diagnostics of malware presence within the system.
Sending data using trusted applications
There are many types of malicious programs that are masked as executable files, libraries or extension modules of
known programs, intruding into standard processes. So, an intruder can make a data loss on the user's computer.
Network traffic created by malicious code will not be filtered out by firewalls, since it is viewed by them as traffic
created by a program that has been granted Internet access.
known programs, intruding into standard processes. So, an intruder can make a data loss on the user's computer.
Network traffic created by malicious code will not be filtered out by firewalls, since it is viewed by them as traffic
created by a program that has been granted Internet access.
Suspicious activity in the system
This point consists in detecting a suspicious behavior of a separate process: a change in the operating system's
status, for example, granting direct access to the RAM, or obtaining debugger privileges. Intercepted activity is not
typical for the most programs, being dangerous at the same time. So, such activity is classified as suspicious.
status, for example, granting direct access to the RAM, or obtaining debugger privileges. Intercepted activity is not
typical for the most programs, being dangerous at the same time. So, such activity is classified as suspicious.
Sending DNS requests
DNS server is designed to reply to DNS requests via the corresponding protocol. If no record matching the DNS
request is found in the local DNS server's database, the request will be retransmitted, until it reaches a server that
would store the required information. As DNS requests are let flow by the most protection systems without scanning,
the content of a DNS package may include additional fragments containing the user's personal data. An intruder
controlling a DNS server that processes those DNS requests, has an opportunity to obtain this information.
request is found in the local DNS server's database, the request will be retransmitted, until it reaches a server that
would store the required information. As DNS requests are let flow by the most protection systems without scanning,
the content of a DNS package may include additional fragments containing the user's personal data. An intruder
controlling a DNS server that processes those DNS requests, has an opportunity to obtain this information.