Specifying program actions and setting up the protection level

Specifying application actions and setting the protection level

The default protection level for Kaspersky Anti-Virus is Recommended. This level denies access to all infected objects, malware (worms, Trojan programs) and suspicious objects that are being accessed for reading, writing or execution, and displays a message prompting the user for action.

Note that archives, email databases, and plain text mail files ARE NOT SCANNED in real-time protection mode! An exception is self-extracting archives, which are scanned if the Maximum Protection level is selected.

While real-time protection is on, you can select both the level of computer protection and the type of action to be performed if a suspicious or infected object is detected.

To configure application actions upon detection of a malicious object:

Click Configure Real-Time Protection in the left section of the Settings tab or modify settings in the status area of the Protection tab.

When the Real-Time Protection settings dialog box opens, select the protection level using a slider. By changing the protection level, you change the balance between the speed of the scan and the number of objects to be scanned. The fewer objects scanned, the faster the scan will be.

Note that archives are not scanned or disinfected in real-time protection mode! To scan and disinfect archives use a full computer scan.

Real-time protection configuration

Kaspersky Anti-Virus allows the user to select one of three protection levels:

Maximum Protection - this level ensures maximum monitoring of objects that are being opened, saved or run.

Recommended - this level of protection is recommended by Kaspersky Lab. At this level, the same types of object are scanned as at the Maximum Protection level, except for self-extracting archives and outgoing email messages.

High Speed - this level ensure good computer performance while you are working with programs that require considerable RAM resources, since the list of objects to be scanned is shorter.

The table below contains a list of all objects that may be subject to an anti-virus scan. The + sign indicates that the object will be scanned if the corresponding level is selected, while the - sign indicates that the object will not be scanned.


	Maximum Protection	Recommended	High Speed
Files that potentially can be infected	+	+	+
Disk boot sectors	+	+	+
Packed files	+	+	+
OLE objects	+	+	+
Incoming email messages	+	+	+
Outgoing email messages	+	-	-
Self-extracting archives	+	-	-
Email databases and messages	-	-	-

You can specify files to be excluded from the scan scope at each level of real-time protection, or disable real-time protection.

Specify types of action to be performed on detection of an infected or suspicious object:

Block access and prompt user for action - deny access to the object and display a message prompting the user to choose which action is to be performed on the object. This is the default mode.

If you do not specify the action within 30 seconds after the message is displayed, the recommended action will be performed on this object. Each type of detected object has its own recommended action. For example, for infected objects the recommended action is Disinfect. Beside the name of recommended action the text (recommended) is always displayed.

The list of possible recommended actions is as follows (a subset of these actions is available for each different type of object):

disinfect infected objects;

quarantine suspicious objects that are possibly infected with a virus or a virus modification;

Sometimes, after a file has been quarantined, a message appears notifying the user that the object cannot be deleted. This is related to the fact that quarantined objects are copied to the quarantine folder and deleted from their initial location. However, some objects, for example, objects contained in a self-extracting archive, cannot be deleted in this way.

delete malicious programs (Trojans and worms) or infected objects that could not be disinfected;

skip - do not perform any action on objects, but record information on their detection in the report.

If you want to quarantine an infected object, choose the Skip action and then quarantine the object manually (see section Working with quarantined objects).

Block access and perform recommended action - deny access to the object and perform a recommended action on this object. The Recommended action for infected objects is Disinfect, for possibly infected objects it is Quarantine and for trojan horses and worms it is Delete.

Block access and delete infected objects - delete objects without any additional warning to the user.

Block access and write information to log file - deny access to the object, and do not display messages prompting user for action.

In some situations no action can be performed on an object, for instance, if an infected object is being used by another program at the time of detection and therefore cannot be processed. In this case, a message will be displayed with a suggestion that you:

disinfect at system startup. This action will be listed only if this object can be disinfected;

delete at system startup;

skip.

Please note that the actions listed above do not apply to email messages and dangerous scripts:

Upon the detection of an infected or possibly infected email message, the recommended action is performed with no additional notification to the user.

Upon the detection of a dangerous script, you will always be notified and will be able to determine further actions yourself.

See also:

Checking the protection status