SafenSoft SySWatch v.3.6
Contents
1. e File Mask Masks asterisks can be used to create activity control rules for the file system objects of the same type or With similar names Regular expression for the full file or folder name including path to the object can be created using following masks replaces any number of characters except replaces any number of characters O equivalent to the comparison with zero byte replaces 1 character e Install Mode Launch application and add to system profile as a trusted application e Isolated User VIPO sandbox more restricted than the Safe n Sec sandbox and used to launch unknown or restricted applications e Known Applications Applications that have been added to the system profile e Limited Mode Launch application in a sandbox under a VIPO restricted user account e Limited User Safe n Sec sandbox used for known trusted but potentially dangerous applications e Restricted Applications Applications that are present in the system profile but not included to the Trusted group or unknown applications that are not present in the system profile In the SysWatch Processes and applications window both are grouped under Restricted Applications e Simple Mode Used immediately after installation before the system profile is created to protect the system during auto adjust system profile creation e System Profile Database containing all the information needed to identify a2. 2 In General settings for program update window click Configure button 3 In the Advanced settings window select Connection tab 4 Check Use default proxy settings then enter Address and Port number 80 by default Enter User O 2011 SafenSoft Getting started 39 4 3 name and Password if authorization is required 5 Click on Apply button to apply changes or click on Ok button to apply changes and close window w Set credentials for automatic updates 1 Click on Update section of the Control Panel Then click on Settings link to open Update section of the Application settings window 2 In General settings for program update window click Configure button 3 In the Advanced settings window select Credentials tab 4 Set account for automatic updates if you don t like to run updates under Local system account default 5 Click on Apply button to apply changes or click on Ok button to apply changes and close window Scan It is possible that your computer might have been infected with malware before SafenSoft SysWatch was installed For this reason a full scan to detect and neutralize any existing malware is be performed automatically duringthe automatic adjustment process if an antimalware scanner is included with your version ofthe product Otherwise a third party antimalware scanner should be used to run a complete scan before installing SafenSoft SysWatch The antimalware scanner usesthe
3. Check actions to SafenSoft SysWatch to be protected with password Changing program settings uninstalling program and click Ok button Now whenever any user on your computer attempts to perform the actions you selected SafenSoft SysWatch will always request a password 3 2 2 1 1 System Profile Creation In order to ensure the best possible protection SafenSoft SysWatch automatically creates and adjusts System Profiles the first time it is run If the computer is restarted or switched off before the end of this automatic adjustment process it will continue from the point at which it was stopped when the system is powered back on After the automatic adjustment is successfully completed SafenSoft SysWatch Extended Mode is activated which enables you to e Classify all installed applications into trusted known and potentially harmful unknown categories e Execute unknown applications in a sandbox and automatically block any malicious activities e Reduce the need for user interaction when a decision needs to be made about an application launch System Profile creation consists of the following steps e Update automatic adjustment components via the Internet If an Internet connection is unavailable existing components are used Search and collect information about all executable files exe com dll etc e Identification of executable files Define rules for application execution Trusted or known application Restrict
4. components to be updated Program or AV bases 4 Click on Ok button to apply changes Change Internet connection settings for automatic update task 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window N Select Update section of the Application settings window 3 In General settings for program update window click Configure button 4 In the Advanced settings window select Connection tab 5 Check Use default proxy settings then enter Address and Port number 80 by default Enter User name and Password if authorization is required 2011 SafenSoft Application Interface 21 6 Click on Apply button to apply changes or click on Ok button to apply changes and close window w Set credentials for automatic update task 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Update section of the Application settings window 3 In General settings for program update window click Configure button 4 In the Advanced settings window select Startup options tab 5 Set account for automatic updates if you don t like to run updates under Local system account default 6 Click on Apply button to apply changes or click on Ok button to apply changes and close window 3 2 2 4 Settings When SafenSoft SysWatch is instal
5. 3 6 5 2 2 1 4 Restrictions and Permissions The Restrictions and Permissions tab in the Application properties window contains information about Custom rules that control an application when it accesses computer resources and devices These rules are grouped into the following categories File system System Registry Network e Process privileges Custom rules take precedence over Common rules It is the Custom rules that are evaluated first The product may be shipped with a predefined set of rules established by the company s experts as a result of examining behavior ofthe given application The process of changing Custom rules for an application is exactly the same as the process for changing Common rules Actions w Change custom rules for the application 1 Choose Processes and applications from the Context menu 2 Select an application from the list right click on it and choose Application properties 3 In the Restrictions and Permissions tab under the restriction section rules can be set for File system access System registry access Network access e Process privileges 4 Click on OK in the Application properties window 6 Alerts SafenSoft SysWatch controls all activities of all applications installed on the computer and notifies the user about each policy or rules violation or an unknown application launch attempt This section describes SafenSoft SysWatch alerts 2011
6. Block any network activity for restricted applications 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select the Any network activity network rule from the list and uncheck the Allow checkbox next to it 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Deny access to USB devices and set exceptions 2011 SafenSoft Settings 53 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the USB Devices from the list and uncheck the e Uncheck the Read checkbox to protect the selected USB device from being read by applications This will automatically prevent change or deletion of the files and folders stores on the USB device e Uncheck the Write checkbox to protect the selected USB device from new file and folder creation and the alternation of existing data by applications e Uncheck the Delete checkbox to protect files and folders stored on the selected USB device from being deleted 4 Click on Additional link 5 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be a
7. Common applicable for a group of applications Common rules can be created for All Trusted or Restricted applications and certain applications can be excluded from the rules e All blocked specifies that the execution and all actions bythe application are blocked Vendor determinesthe producer of the application read fromthe version info ofthe application Full name determinesthe name andthe pathtothe installation directory ofthe application read from the version info of the application Actions w Block application 1 Choose Processes and applications in the context menu 2 Specify one or more applications in the list and select the Block execution Item of the context menu 3 Click on OK or Apply button to save the changes Please be careful blocking execution of an application If you block execution of a system service or process it may lead to Windows inoperability v Add new application 1 Choose Processes and applications item in the context menu 2 Click the Add link and specify an application in the Open file dialogue 3 Click on OK or Apply button to save the changes The application will be added to the restricted applications v Move application to Trusted 1 Choose Processes and applications item in the context menu 2 Specify one or more applications in the list and right click on them 3 From the context menu select the Trust to application item or Move to trusted for the group of applications
8. Da protection is enabled La protection is disabled E automatic adjustment is being performed a update is in progress E computer is being scanned The icon also provides quick access to the basic components via the SysWatch interface the context menu and the main window e The Context menu is opened by right clicking on the application icon e To open the SafenSoft SysWatch control panel double click on the application icon Context menu The Context menu is opened by right clicking on the application icon in the notification area You can run tasks and quickly access SafenSoft SysWatch settings from the context menu The SafenSoft SysWatch context menu contains the following items e SafenSoft SysWatch open main window Control panel e Settings view and change the program s parameters e Activity Policy change the application activity policies e Processes and applications view and change the application parameters e Scan select objects and start a scan for malicious code e Update download and install application updates if available e Reports view system update scan and system profile creation reports e Turn protection off on change the status of the protection e About view information about SafenSoft SysWatch e Show program icon toggle visibility of the program s icon in the notification area e Interface language change the language used in the program interface e Exit sh
9. SafenSoft Alerts 75 Unknown application launch Unknown installer launch Actions v Allow unknown application launch 1 Launch new application 2 SafenSoft SysWatch suspends the launch and pops up an Alert window 3 If you are sure that the application is safe set Execute in install mode and click the Execute button The application and all its modules will be added to the system profile as Trusted You can scan the application for malicious code from the Alert Window Click the Scan link to check the application if antimalware scanner and appropriate license are available If you are not sure that the application is safe set Execute in a limited mode and click on the Execute button to launch the application in a sandbox The application will be launch under Isolated user account the malicious activity will be blocked w Block launch of unknown application 1 In case of unknown application launch is attempted SafenSoft Sys Watch suspends the launch and pops up Alert window 2 If you don t know what application is launching or don t trust it click on the Block button to block the launch w Allow launch of unknown installer 1 Launch the setup program for the new application 2 SafenSoft SysWatch suspends the launch and pops up an Alert window 3 Uncheck the Run in limited mode checkbox and click the Execute button All the installer modules will be added to the system profile as Trusted w Bloc
10. Then choose Settings to open application settings window 2 In Protection Status section click on Configure button to open General Settings for Protection window 3 Choose Applications tab and check Disable script engine 4 Click on Ok button w Enable dll modules control 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 In Protection Status section click on Configure button to open General Settings for Protection window 3 Choose Applications tab and check Enable dll modules control Click on Ok button 4 To Enable dll modules control the system must be restarted v Remove information about rarely launched applications O 2011 SafenSoft 16 SafenSoft SySWatch v 3 6 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 In Protection Status section click on Configure button to open General Settings for Protection window 3 Choose Applications tab and click on Clean up now button 4 Click on Ok button w Set automatic removal of the information about rarely launched applications 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 In Protection Status section click on Configure button to open General Settings for Protection wind
11. application Allow application the application will be moved to Restricted Trust to application 4 Click on OK button in the Application properties window v Turn on Install mode 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the Execution conditions tab check Turn on Install mode checkbox 4 Click on OK button in the Application properties window w Set Limited execution account 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the Execution conditions tab set Limited User 4 Click on OK button in the Application properties window 5 2 2 1 3 Activity History The History tab section in the Application properties window contains information about application activities they relate to file resource and System Registry access Time specifies the date and time of an event Event contains a description of the event Execute specifies when the application started Stop specifies when the application stopped Read indicates that the application has read a file or System Registry object 2011 SafenSoft Settings 73 Change indicates that the application has created or changed a file or a System Registry object The changed objects can be r
12. file system object in the tree and e Check the Read checkbox in order to protect the file from reading by applications This will automatically block changing and deletion of the file e Check the Write checkbox to protect the file object from creation and altering by applications e Check the Delete checkbox to protect the file object from being deleted 4 Right click in the Use for column to change the group of applications which will be affected by the activity control rule O 2011 SafenSoft 58 SafenSoft SySWatch v 3 6 e All the rule will be applied to all applications e Trusted the rule will be applied to known trusted applications which are present in the system profile e Restricted the rule will be applied to potentially dangerous restricted or unknown applications which are not present in the system profile 5 Right click in the Use for column and choose Additional item 6 Change following settings in the Additional window e Users select users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active all the time by default e Exceptions select applications to be not affected by the rule 7 Click on OK button in the Additional window to save changes 8 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy 5 2 1 2 System Registry The System Registry protection scope cover
13. for Control policy violation only e Decide on the administering computer applicable for corporate products only Decision will be made by the administrator remotely via management console Admin Explorer Actions w Enable automatic processing of incidents O 2011 SafenSoft 18 SafenSoft SySWatch v 3 6 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Check Enable automatic processing of incidents and click Configure 3 Under Incidents tab you can set automatic decisions on different incidents 4 Click on Ok button when changes are done 3 2 2 2 Scan When SafenSoft SysWatch is installed the following anti malware scan parameters are set by default if the scanner is available in the product Threat action Treat Delete incurable objects Check files Only executable files Advanced check Use digital signatures Enabled Check removable devices automatically Disabled e Startup account Local system account e Scanner startup Preinitialize scanner Disabled Actions w Set automatic scan of the removable devices 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Select Scan section of the Application settings window 3 Set Check removable devices automatically and Prompt for
14. get activated or 3 In case no Internet connection is available the program will suggest Manual activation option 4 You will be suggested to contact the Support service by phone and provide them with the serial number and hardware code 5 Type the license key obtained from the Support service in the Number field and click on the Activate button Program update Because we are continually improvingthe product changes and new features may already be available at the time the software is installed Additionally the signature database accompanying the antimalware scanner if included in the product will need to be updated immediately upon installation SafenSoft SysWatch will automatically check for updates and installthem beforethe automatic adjustment process begin Actions w Change automatic update settings 1 Click on the Update section of the Control Panel Then click on the Settings link to open the Update section of the Application settings window 2 In the General settings for program update window you can Disable Enable automatic updates Enable Disable confirmation before update set frequency of automatic updates and set program components to be updated program and signature databases 3 Click Ok to apply the changes v Change Internet connection settings for automatic updates 1 Click on Update section of the Control Panel Then click on Settings link to open Update section of the Application settings window
15. is updated or applications are launched in install mode e Restricted applications the number of applications added to Restricted Applications group manually and unknown applications launched in the sandbox Blocked applications the number of applications that were blocked A blocked application will be prevented from launching as long as the application area is enabled e Last incident the last application which attempted to violate control policy or was otherwise blocked from launching Actions v Turn off protection O 2011 SafenSoft 32 SafenSoft SySWatch v 3 6 1 Click the Settings link at the bottom of the Control Panel Status section 2 Uncheck the Enable Protection checkbox in the SysWatch Settings window and click OK to save the changes 3 3 2 Scan The Scan section displays information relating to the last malware scan and enables the scanner s settings to be changed This is only available if your SysWatch license includes the optional antimalware scanner e Scan has not been performed indicates that a malware scan has never been performed on this computer e Computer is checked and protected the last scan either did not reveal any malware or all detected threats have been neutralized e Untreated threats exist during the last scan malware was detected which has not yet been neutralized The next step should be to update the program and rescan it or manually neutralize the untreated thr
16. on Configure button to open General Settings for Protection window 3 Choose System Profiling tab and click on Stop button while system profiling is running 4 SysWatch will ask whether you wish to continue the automatic adjustment later or not 5 Click Yes if you would like to continue profile creation in future or No if you would like to create profile from very beginning in future v Update System Profile 1 In the General Settings for Protection window choose the System Profile tab 2 For Scope select Disks to create the System Profile or Add files and folders to include them in the existing system profile O 2011 SafenSoft 14 SafenSoft SySWatch v 3 6 3 Click the Update button 3 2 2 1 2 Applications In the Applications tab you can change following settings e Save activity history of unknown applications on the first run e Disable script engine to block JavaScripts and VBScripts from running If the dll modules control is enabled all the processes from the list below will be blocked Hence all the js vbs java bytecode which are executed by these interpreters will be blocked from running e wscript exe Microsoft Windows Based Script Host e cscript exe Microsoft Console Based Script Host e java exe Java TM Platform SE binary e javaw exe Java TM Platform SE binary e javaws exe Java TM Web Start Launcher e Enable dll modules control system restart is required
17. specify the following objects to be scanned e System memory scan all running processes It is recommended a system memory scan is performed each time daily and whenever a new process not started by you appears e Bootable sectors scanthe hard drive s boot sectors e Objects in quarantine scan objects moved to quarantine should be scanned It is recommended objects in quarantine be scanned after each program update is completed e All removable drives scan all file system objects on all removable drives It is recommended to scan removable drives whenever you plan to read or write files from or to such drives or run a program from a removable drive e All hard drives scan all file system objects on all hard drives e My computer scan all file system objects on the computer e Trash scan all deleted objects My documents scan your documents Desktop scan all file system objects onthe desktop Actions v Run scan 1 Specify one or more objects in the Scan section of the Control panel 2 Click the Run scan button 3 To examine the state of the scan click the Details link v View scan report 1 Click the Last scan link in the Scan section of the Control panel 2 TXT scan report will be opened 4 3 2 Scan results When a malicious object is detected SafenSoft SysWatch determines the type virus worm Trojan spyware etc and takes one ofthe following actions e Treats or Deletes the infected object iftre
18. the application icon in the notification area to open context menu Then choose Reports to open Reports folder 2 In the Reports folder you can find following report types e System e Update e Scan e Profile 3 To view the report double click on it 3 2 8 Turn protection off e Turn protection off on change the protection status IMPORTANT New applications installed or launched when protection is turned off will not be added to the system profile automatically and will be considered as unknown applications when protection is re activated O 2011 SafenSoft Application Interface 29 3 2 9 3 2 10 Actions v Turn protection off 1 Right click on the program icon in the notification area to open the Context menu Then choose Turn protection off to disable protection v Turn protection on 1 Right click on the application icon in the notification area to open context menu Then choose Turn protection on to enable protection About e About view information about the version of SafenSoft SysWatch installed on this computer Actions v Open the About SafenSoft SysWatch window 1 Right click on the application icon in the notification area to open context menu Then choose About item 2 About SafenSoft SysWatch windows will be opened Show program icon e Show program icon toggle the visibility of the SysWatch icon in the Windows notification area Actions v Hide program ico
19. window 3 Click Configure button under Check files section to open Advanced settings window 4 Choose Startup options tab in Advances settings window 5 Set scanner startup account if you don t like to run scanner under Local system account default 6 Check Preinitialize scanner for faster scanning requires more RAM Scanner will be loaded to RAM at system startup 7 Click on Ok button in Advanced settings windows and in Application settings window to apply 2011 SafenSoft 20 SafenSoft SySWatch v 3 6 changes 3 2 2 3 Update When SafenSoft SysWatch is installed the following update parameters are set by default Update automatically Enabled Prompt for confirmation prior to updating Disabled Check for updates Once a day Content of updates All e Use default proxy settings Disabled Your web browser parameters are used for Internet connection e Credentials Local system account Notifications Settings for application notifications Actions v Change automatic update settings 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Update section of the Application settings window 3 In General settings for program update window you can Disable Enable automatic updates Enable Disable confirmation before update set periodicity of automatic updates and set program
20. 4 Click on OK or Apply button to save the changes v Open application properties window 1 Choose Processes and applications item in the context menu 2 Select application and click on the Properties link or right click and select Application properties 2011 SafenSoft 68 SafenSoft SySWatch v 3 6 from the context menu w Delete application from Trusted 1 Choose Processes and applications item in the context menu 2 Specify one or more applications and from the context menu select the Delete application from Trusted item 3 The application will be moved to restricted applications w Delete application from list 1 Choose Processes and applications item in the context menu 2 Specify one or more inactive applications in the list and click the Delete from list link When you delete application from list all the structures related to this application will be removed from SafenSoft SysWatch s database custom rules for this application execution conditions etc w Delete application file on reboot 1 Choose Processes and applications item in the context menu 2 Specify required application in the list and right click on it 3 From the context menu select the Delete application file on reboot item w Terminate application 1 Choose Processes and applications item in the context menu 2 Specify the active application in the list and click the Terminate link Please be careful specifying applicati
21. 4 Delete all files from the C Documents and Settings All Users Application Data S N Safe amp Software Safe n Sec Reports for 2011 SafenSoft Application Interface 25 Windows XP C Users All Users S N Safe amp Software Safe n Sec Reports for Windows Vista Windows 7 w View reports 1 Right click on the application icon in the notification area to open context menu Then choose Reports to open Reports folder 2 Inthe Reports folder you can find following report types e System e Update e Scan e Profile 3 To view the report double click on it 3 2 2 4 3 Notifications When SafenSoft SysWatch is installed the following parameters are set by default e Sounds Enabled e Show Notifications Enabled When the program generates an event it displays special notification windows Depending on the seriousness of an event a notification can be one of the following types e Protection status indicates that protection status has changed or there are errors in protection components e Update indicates that errors in program update process are thrown e Scan for malware indicates that new threats have been detected or there are errors in the scanning process e Reports used when automatically deletes reports e Licensing used to notify you about the state of the license or when the license expires e Application installation uninstallation indicates installation update or uninstall
22. 49 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the File system protection scope from the drop down list 3 Select a file system object in the tree and e Check the Read checkbox in order to protect the file from reading by applications This will automatically block changing and deletion of the file e Check the Write checkbox to protect the file object from creation and altering by applications e Check the Delete checkbox to protect the file object from being deleted 4 Right click in the Use for column to change the group of applications which will be affected by the activity control rule e All the rule will be applied to all applications e Trusted the rule will be applied to known trusted applications which are present in the system profile e Restricted the rule will be applied to potentially dangerous restricted or unknown applications which are not present in the system profile 5 Right click in the Use for column and choose Additional item 6 Change following settings in the Additional window e Users select the users to be controlled by this rule e Time set time periods for the rule to be active The rule will be active at all times by default e Exceptions select the applications to be excluded from the rule 7 Click on OK button in the Additional window to save changes 8 Click on OK or Apply button
23. A in Res A E ln de re nn ne into een 42 Detected Threat iii manette en ia 44 Settings 45 System Profile Creation s vcisccecrecsecscsoosscnersetooneencsscreecossestesneroscosne tssoseesneststesneene ostecabesechssncoosie nachceenecaucncoosse 46 Application control policy 47 Protection Scope ii A ram ete daiwa sn Pannes 48 File SM AS AA S AAA ne 56 SISTEMTROUS Vii A A AAA einer tie een den 58 NetWork ira A A Ai di Rs ss 60 DICO A ii me Nr OA E eme E ee ee ey T 62 Process Pnhivil6g Siic netics aie men A Rider ida den IN 64 Int rprocess interaction sssir ismesenreeneen ici trente ii iatte enter de 65 Processes and applications Application properties General pr perti iu AO dae 70 Execution Conditions ii de Alii dei hla aid oh o 71 Activity Hist Vietnamien Ne Rene A da 72 Restrictions and Permissions se 74 Alerts 74 Unknown application launch sn 76 Unknown installer launch wssicscseisecssesesssssssieccseccssstsssessccsestecesosossbuecesevessseseosenvescesees onsesnssortensescce Sensessoetyasetence 77 Glossary 78 SafenSoft 80 Index 0 O 2011 SafenSoft SafenSoft SySWatch v 3 6 1 1 Introduction Dear SafenSoft customer Thank you for choosing SafenSoft SysWatch to protect your computer Our experts have worked hard to ensure the software meets the highest standards of information security and we believe that SafenSoft SysWatch when installed and used in acc
24. NOTE DII modules control means the control of the libraries dil or the drivers sys which are loaded by the process or operating system DII modules control in the Simple Mode SafenSoft SysWatch checks availability of the libraries drivers loaded by the process system in the blacklist If the libraries drives are present in the blacklist they will be blocked DII modules control in the Extended Mode SafenSoft SysWatch checks availability of the libraries drivers loaded by the process system in the checksums database If the checksums of the libraries drives are not present in the database or differs from the checksums stored in the database they will be blocked e Set automatic removal of the information about rarely launched applications O 2011 SafenSoft Application Interface 15 e Remove information about rarely launched applications Actions w Save activity history of unknown applications on the first run 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 In Protection Status section click on Configure button to open General Settings for Protection window 3 Choose Applications tab and check Save activity history of unknown applications on the first run 4 Click on Ok button w Disable script engine 1 Right click on the application icon in the notification area to open context menu
25. SysWatch PERSONAL 0 User Manual aA SafenSoft 2 SafenSoft SySWatch v 3 6 Content 0 Introduction 4 What s new in SafenSoft SysWatch nn 4 A A A avdeceuceedantocescnsladsacovatutieesasstvense 5 System requirements iii Re nn ne nes 6 Installing SafenSoft SysWatch 6 Application Interface 7 Notification area ICOM ss ne Rte ir Ei 7 Context men O 8 AAA PP ON 9 Settings A A tien nn mi tue treated i 9 RrOteCtION in O O O System Profile Creation Applications A aid A O O OS E O NN Sl AAA E RN VIEW AA AAA A IA RREDOMS rise minier en Sbbaczeasandseissdubaceeasandeass A st Notifications iia Activity policy cccommmoo Processes and applications iii stabecaedarsvvcueccecsecndessdveasdereeteccsaGeaveevixeetees SCO A dia NT A II e OA II O o O O E O O tenseur ane e nds Aiia nn escent veuvnedes dvaudseuseriuslekvehaeseeen ES Turn protection Off inicia Ac Adi PDGUE A A A Show program icon DARA AAA sienne rene ein entente nier mere nn nn ele nn anne ne ne ete et en sonne abus seen ni dede nd este se CAS RE ERP PRE PE SR PP aAa aaa aa iana eaa aeaa Control panel O Protection SEATLISE 2 085 7er das 31 Scan AN 32 Update 33 License sassen 34 Help and Support A nest este een nc nas E 35 Getting started 36 Program ACTIVATION A 37 Program update A ER Re en En EESE ENR Eii 38 O 39 O 2011 SafenSoft Content 3 Objects AN 42 E A
26. Watch is going to restrict application s network activity 14 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Change Network rule 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select an appropriate network rule from the list 4 Click the Edit button 5 Change the rule and click on the OK button to save changes 6 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy v Remove Network rule 1 Choose Activity policy item in the context menu O 2011 SafenSoft 62 SafenSoft SySWatch v 3 6 5 2 1 4 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select an appropriate network rule from the list 4 Click the Delete button 5 Click on the OK button to confirm deletion 6 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Block any network activity for restricted applications 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select the Any networ
27. about each threat uncovered during the scan 3 Start scan w Scan all files search for unknown threats 1 Open the Program properties window from the program s Context menu and select the Scan section or Click the Settings link in the Scan section of the Control panel 2 In the Advanced settings windows set All files check Mail bases and Archives check Use digital signatures and Use heuristics for a slower but more comprehensive scan 3 Start scan w Search for rootkits 1 Open the Program settings window from the program s context menu and select the Scan section or Click the Settings link in the Scan section of the Control panel 2 Check the Search for hidden resources checkbox 3 Start scan w Set scanner startup parameters 1 Click on Update section of the Control Panel Then click on Settings link to open Update section of the Application settings window 2 Click on Configure button under Check files section to open Advanced settings window 3 Choose Startup options tab in Advances settings window 4 Set scanner startup account if you don t like to run scanner under Local system account default 5 Check Preinitialize scanner for faster scanning requires more RAM Scanner will be loaded to RAM at system startup 6 Click on Ok button in Advanced settings windows and in Application settings window to apply changes O 2011 SafenSoft 42 SafenSoft SySWatch v 3 6 4 3 1 Objects You can
28. action on detected threat 1 Open the Program properties window from the program s context menu and select the Scan section or 2 Click the Settings link in the Scan section of the Control panel 3 Set Select action when the scan finishes to view all found threats or Ask action to be asked on every single threat during the scanning 4 Start scan O 2011 SafenSoft 44 SafenSoft SySWatch v 3 6 4 3 3 Detected Threats The Detected threats list contains information about malicious objects found along with the actions taken on those objects Date the date and time when a malicious object was found Object the name ofthe object and its path e Filename e Process name in memory e Boot sector Status o Path the full path tothe object Detected the name ofthe malicious object the status ofthe object Detected malicious object has been detected Treated malicious object has been disinfected Deleted malicious object has been deleted Moved to quarantine malicious object has been moved to the quarantine folder Cannot be treated the object cannot be disinfected It is recommended the object be deleted manually Cannot be deleted an error has occurred when deletion was attempted In this instance it is recommended the process be terminated and the object blocked Cannot move to quarantine an error occurred when an attempt was made to move the object to q
29. ation of any application with digital certificate e Program modules blocking indicates that application has been blocked automatically or by user s decision e Message from administrator used in corporate products only e Restricting applications indicates that the application was launched with restrictions in the sandbox or custom rules are applied O 2011 SafenSoft 26 SafenSoft SySWatch v 3 6 Actions w Disable notifications 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Notifications section of the main Application settings window 3 Uncheck the Show notifications checkbox or 4 To disable showing a notification of a specific origin click on Configure button and uncheck the corresponding checkbox 5 Click on OK button to apply changes v Disable sounds 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Notifications section of the main Application settings window 3 Uncheck the Enable sounds checkbox 4 Click on OK button to apply changes 3 2 3 Activity policy e Activity policy open application activity policies window Actions v Open application activity policies window 1 Right click on the SysWatch icon in the notification area to open the Context menu Then choose Acti
30. atment is impossible 2011 SafenSoft Getting started 43 e Postpones treatment of infected objects detected until the scan is complete SafenSoft SysWatch provides a list of detected threats on scan completion and will request a decision on action to take for each object detected e Asks action each time a threat isdetected e Treat to treat the threat or delete it if treatment is not possible or terminate a malicious process It is recommended this action is performed if your data or any of your applications have been modified by a malicious program e Delete to delete an infected file and terminate a malicious process It is recommended this action is performed when a malicious program is detected e Move to quarantine to move an infected object to a special folder and block it from execution This action is recommended whenever you suspect SafenSoft SysWatch has found a malicious object e Skip to take no action regarding the object Actions v View detected threats 1 Alist of all threats detected is available only after a scan is complete It also contains a log of all infected objects found since SafenSoft SysWatch was installed 2 Click the Detected link in the Scan section of the Control panel 3 The window with detected threats will be opened w View scan report 1 Click the Lastscan link in the Scan section of the Control panel 2 Ascan report in text format will be opened v Change the
31. by applications with adjusted activity restrictions access to file system registry etc Following decisions on Launching unknown application are available e Execute in a limited mode launch application in a sandbox e Scan and execute in a limited mode after scan and launch application in a sandbox if no malicious code was detected e Execute in install mode launch application and add to system profile as trusted 2011 SafenSoft Application Interface 11 e Scan and execute in install mode after scan and launch application if no malicious code was detected Add application to system profile as trusted e Block prevent application from launching Following decisions on Launching unknown installer updater are available e Install launch installer updater and add all new modules to the system profile as trusted e Scan and install after scan and launch installer updater if no malicious code was detected Add all new application s modules to system profile as trusted e Install in a limited mode launch installer updater in a sandbox e Scan and install in a limited mode after scan and launch installer updater in a sandbox if no malicious code was detected e Block prevent installer from launching Following decisions on control policy violation are available e Allow operation which is not allowed by the SysWatch s control policy will be permitted e Scan and allow after operation which
32. checking removable devices if it is necessary 4 Click on Ok button to apply changes w Set manual selection of the action on detected threat O 2011 SafenSoft Application Interface 19 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Select Scan section of the Application settings window 3 Set Select action when the scan finishes to view all found threats or Ask action to be asked on every single threat during the scanning 4 Click on Ok button to apply changes w Set file types to be scanned for malicious code and scan methods 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Select Scan section of the Application settings window 3 Click Configure button under Check files section to open Advanced settings window 4 In the Advanced settings windows set All files check Mail bases and Archives check Use digital signatures and Use heuristics for slower but more comprehensive scan 5 Click on Ok button in Advanced settings windows and in Application settings window to apply changes w Set scanner startup parameters 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Select Scan section of the Application settings
33. ck application the application will be moved to Blocked Trust application the application will be moved to Trusted Turn on Install mode allthe applications modules including new ones will be added to the system profile The application will be moved to Trusted Set execution account Isolated user set by default the application will be launched in a sandbox Potentially dangerous application activity will be blocked Current account the application will be launched outsidethe sandbox For Blocked application Allow application the application will be moved to Restricted Trust application the application will be moved to Trusted Turn on Install mode allthe applications modules including new ones will be added to the system profile The application will be moved to Trusted Actions w Change execution conditions 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the Execution conditions tab under restriction section you can set following parameters For the Trusted application Block application the application will be moved to Blocked O 2011 SafenSoft 72 SafenSoft SySWatch v 3 6 Delete application from Trusted the application will be moved to Restricted For Restricted application Block application Trust to application the application will be moved to Trusted For Blocked
34. crosoft Windows Vista Business x86 x64 SP1 e Microsoft Windows Vista Ultimate x86 x64 SP1 e Microsoft Windows 7 Home Basic x86 x64 e Intel Pentium x86 x64 800 MHz or e Microsoft Windows 7 Home Premium x86 compatible x64 e 512 MB RAM or more e Microsoft Windows 7 Professional x86 x64 e At least 150 MB free disk space e Microsoft Windows 7 Ultimate x86 x64 Installing SafenSoft SysWatch Before installing SafenSoft SysWatch ensure you have the latest version of the product You can download the latest version here http products safensoft com SafenSoft_SysWatch_Personal exe The installation program is implemented as a standard Windows wizard Each window contains a set of buttons to control the installation process These buttons and their actions are e Next accept the action and move to the next step in the installation process O 2011 SafenSoft Installing SafenSoft SysWatch 7 3 1 e Back return to the previous step in the installation process e Cancel cancel the installation e Finish complete the application installation procedure Let us take a closer look at each step of the installation procedure Step 1 To install SafenSoft SysWatch on your computer run the installer the file with the exe extension named SafenSoft_SysWatch_Personal exe Step 2 Choose your language from the list and click OK Step 3 Wait until SafenSoft SysWatch extracts its i
35. ctive The rule will be active at all times by default e Exceptions select devices to be excluded from the rule You can additionally allow deny Read Write and Delete access for the excepted device Update update the list of USB devices attached to the computer e Remove remove the selected device from the list of excepted devices 6 Click on OK button in the Additional window to save changes 7 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy v Disable autorun for all devices 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Check Disable autorun for all devices 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy O 2011 SafenSoft 54 SafenSoft SySWatch v 3 6 w Disable access to CD DVD devices 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the CD DVD Devices from the list and uncheck the Read Write Delete checkboxes 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Disable access to LPT ports 1 Choose Activity policy item in t
36. dor specifies the name of the company that produced the application read from the file s version User specifies that restrictions were manually assigned System process specifies whether it is a system process or not Scan results contains information about the most recent antimalware scan of the application if the antimalware scanner and appropriate license are installed Actions w Scan application for malicious code 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the General tab under Scanning section click the Scan link and select Scan from the context menu O 2011 SafenSoft Settings 71 5 2 2 1 2 Execution conditions Onthe Execution conditions tab under Application propertiesthe following parameters may be changed For a Trusted application Block application the application will be moved to Blocked Delete application from Trusted the application will be moved to Restricted Turn on Install mode allthe applications modules including new ones will be added to the system profile Set execution account Limited user the application will be launched in a sandbox for trusted but potentially dangerous applications Potentially dangerous application activity will be blocked Current account the application will be launched outsidethe sandbox For Restricted application Blo
37. e Alert window appearings the application will be blocked automatically The Alert window may not appear if Automatic processing of incidents is enabled It is necessary to set Delayed Decision in the Incident management window for the Alert window to appear _ in the case of security incidents Actions v Allow launch of unknown application 1 Launch new application 2 SafenSoft SysWatch suspends the launch and pops up an Alert window 3 If you are sure that the application is safe set Execute in install mode and click the Execute button The application and all its modules will be added to the system profile as Trusted O 2011 SafenSoft Alerts 77 6 2 You can scan the application for malicious code from the Alert Window Click the Scan link to check the application if antimalware scanner and appropriate license are available If you are not sure that the application is safe set Execute in a limited mode and click on the Execute button to launch the application in a sandbox The application will be launch under Isolated user account the malicious activity will be blocked Block launch of unknown application 1 In case of unknown application launch is attempted SafenSoft SysWatch suspends the launch and pops up Alert window 2 If you don t know what application is launching or don t trust it click on the Block button to block the launch Unknown installer launch Unknown installer any se
38. eats using the detected threats list e Scan data is obsolete indicates that more than 5 days have passed since the last scan and so a new system scan should be initiated e Scanisunavailable indicates that the antimalware scanner is not available in the product or it is has not been activated In order to activate the scanner enter the appropriate license key and reactivate the program e Lastscan displays detailed information from the last antimalware scan e Threat action specifies what the antimalware scanner should do when a threat is detected e Automatically treat infected object or delete it if treatment is not possible e Select action when the scan finishes request what should be done to infected objects after the scan is complete e Askaction request a decision as to what should be done with a malicious object each time the object is detected during a scan e Settings enables scan settings to be changed e Quarantine displays a list of objects to quarantine Actions v Run antimalware scan O 2011 SafenSoft Application Interface 33 1 Specify one or more objects in the Scan section of the Control panel 2 Click the Run scan button 3 To view the state of the scan at any time click the Details link Scan report will be opened w View scan report 1 Click the Last scan link in the Scan section of the Control panel 2 Scan report will be opened 3 3 3 Update The Update secti
39. ect the devices to be excluded from the rule You can additionally allow deny Read Write and Delete access for the excepted device e Update update the listed of USB devices attached to computer e Remove remove the selected USB device from the list of excepted devices 6 Click on OK button in the Additional window to save changes 7 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Disable autorun for all devices 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Check Disable autorun for all devices 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Disable access to CD DVD drives 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the CD DVD Devices from the list and uncheck the Read Write Delete checkboxes O 2011 SafenSoft 64 SafenSoft SySWatch v 3 6 5 2 1 5 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Disable access to LPT ports 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the A
40. ed application Blocked application execution is prohibited Scan application files for malware Running in Extended Mode SafenSoft SysWatch tracks new or unknown applications those not present in the System Profile blocks harmful actions and notifies of any suspicious activities O 2011 SafenSoft Application Interface 13 The time taken to create the System Profile depends on the amount of software installed on the system It is recommended that you minimize the SysWatch interface to the Windows task bar and continue to work while this process is completed You can update the System Profile as necessary For example the profile should be updated whenever a significant change is made to the system such as attaching an external storage device that contains executable files Simply update then System Profile when the device is connected after the update is completed the applications on the storage device will be considered known and trusted IMPORTANT Do not install or update software during an automatic adjustment as SysWatch will be unable to add new or changed software to the System Profile You can update or add new software to the System Profile by launching it in install mode Actions w Cancel automatic adjustment 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 In Protection Status section click
41. empts to breach security policies Improved For every application the entire activity history and Application activity history and rollback to shadow copies of the changed deleted files can be remove unwanted changes created to provide the ability to roll back unwanted changes Improved Granular application launch control settings allow Application launch control precise controls and prevent unknown processes from launching so damage cannot occur Improved Automatically blocks malicious application activity to Automatic incident processing adjust security levels as needed Improved Primary algorithms have been improved to deliver better Core integrity engine performance and greater efficiency O 2011 SafenSoft Introduction 5 1 2 How it works The main purpose of the SafenSoft SysWatch protection system is to preserve the integrity of the operating system and all its components as installed at the original build as well as applications installed at a later date Immediately after installation SafenSoft SysWatch activates in Simple Mode which provides control over the launch of unknown applications Simple Mode is based on the detection of new executable modules inthe system The decision as to whether to allowthe new application to launch is made based on the degree of confidence in the unknown application and on internal SafenSoft SysWatch logic regarding executable mod
42. en a decision needs to be made about an application launch System Profile creation consists of the following steps e Update automatic adjustment components via the Internet If an Internet connection is unavailable existing components are used e Search and collect information about all executable files exe com dll etc e Identification of executable files e Define rules for application execution e Trusted or known application e Restricted application e Blocked application execution is prohibited e Scan application files for malware Running in Extended Mode SafenSoft SysWatch tracks new or unknown applications those not present inthe System Profile blocks harmful actions and notifies you of any suspicious activities The time taken to create the System Profile depends on the amount of software installed on the system It is recommended that you minimize the SafenSoft SysWatch interface to the Windows task bar and continue to work while this process is completed You can update the System Profile if necessary For example the profile should be updated whenever a significant change is made to the system such as attaching an external storage device that contains executable files Simply update System Profile when the device is connected after the update is completed the applications on the storage device will be considered known and trusted 2011 SafenSoft Settings 47 5 2 IMPORTANT Do no
43. ense displays the legal information about the SysWatch license for this machine program activation and license renewal O 2011 SafenSoft Application Interface 31 e Help and Support contains information about the version of the SafenSoft SysWatch installed on this machine and enables users to send an inquiry to SafenSoft technical support 3 3 1 Protection status The Status section displays the current SysWatch protection status e Computer is protected all protection areas are under control e Partial protection at least one of the protection areas is out of compliance with SysWatch protection requirements e Unprotected SysWatch protection is disabled To change the protection status click the appropriate link e Applications to enable disable application launch control e File system to enable disable file system protection e System registry to enable disable system registry protection e Network to enable disable protection of network connections The lower part of the window contains information about application activities and allows changes to be made to the application activity control settings by clicking on it e Registered applications total number of trusted restricted and blocked applications e Trusted applications the number of trusted applications The trusted application list is generated automatically after automatic adjustment or manually when the system profile
44. erformed automatically during the automatic adjustment process if you have a version of the software that includes an antimalware scanner Otherwise third party antimalware should be used to scan the computer before installing SafenSoft SysWatch Because we are continuously improvingthe software SafenSoft Sys Watch will automatically check for updates_and_ install them before the automatic adjustment process begins The same applies to antimalware signature update files ifthat capability is included with your version ofthe software As soon as these steps have been taken the program is ready 2011 SafenSoft Getting started 37 4 1 Program activation The functionality available in SafenSoft SysWatch functionality is determined by the license type installed on this computer The license key is provided at the time of purchase the following components are available for use as soon as SafenSoft SysWatch is installed e SafenSoftSysWatch Core Core which isthe primary proactive protection component e SafenSoftSysWatch Rootkit Detector RD which isthe primary component responsible for detecting rootkits e Antivirus AV is an optional additional component that scans for viruses trojans worms and other malware e Antispyware AS is an optional additional component that scans for spyware When the license key expires the product will remain fully functional but program and antimalware signature u
45. estored Delete indicates that the application has deleted a file or a System Registry object The deleted objects can be restored Object specifies the name of the file or System Registry object Result specifies the result of restoring a changed object Restored indicates that the object has successfully been restored Recovery error indicates that the object cannot be restored The SafenSoft SysWatch stores backup copies of modified objects in the lt nstallation directory gt History folder Actions w Save application activity history 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the History tab check Save activity history checkbox 4 Check the Create backup copies of objects for further recovery checkbox to create backup copies of all file system and system registry objects which were changed or deleted by the application 5 Click on OK button in the Application properties window w Recover changed objects 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the History tab select file system or system registry objects in the list and click the Restore link 4 Click on OK button in the Application properties window O 2011 SafenSoft 74 SafenSoft SySWatch v
46. fenSoft license key for this machine e Active license the program has been activated and is fully functional e License will expire soon the license will expire in less than 5 days e License has expired the license has expired and program functionality is now limited The license should be renewed as soon as possible e License not found the program does has not been activated A license key should be provided and the program activated License type e Commercial license the scope of the license key is defined at the time of purchase or renewal When the key expires the license can be renewed and the program reactivated e Trial license a free license key issued for the purpose of evaluating the program Trial license keys cannot be renewed e License expiration date the license key expiration date e License validity term days the number of days for which the license key is valid e Protection components program modules activated with this license key e SafenSoft SysWatch Core Core is the core proactive protection component in SafenSoft SysWatch e SafenSoft SysWatch Rootkit Detector RD the component responsible for rootkit detection e Antivirus AV an optional component for detecting malware viruses trojans worms and other malware e Antispyware AS an optional component for detecting spyware e Restrictions specifies the limitations in functionality that take effect on license key expiration e Update indicate
47. fication area to open context menu Then choose Settings to open application settings window 2 6 Select Settings section of the main Application settings window Click on Restore button Choose the backup file you have saved before or default backup file and click on Open button Click on Ok button in the SysWatch backup and restore window Click Ok button in the General settings for control and management window Enable Disable external control of the SysWatch system service self protection 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Settings section of the main Application settings window 3 Check Disable the external control of the system service and click Ok button If you checked Disable the external control of the system service you can t stop or block execution of SafenSoft SysWatch with help of e Task manager e Services services msc e Net stop command e Taskkill command O 2011 SafenSoft Application Interface 23 3 2 2 4 1 View When SafenSoft SysWatch is installed the following parameters are set by default e Show program icon in in the taskbar notification area Enabled e Language the language you have selected during SafenSoft SysWatch installation Ae creua v Hide program icon 1 Right click on the application icon in the notification area t
48. following components to detect and neutralize malicious code e Antivirus databases signatures of known viruses worms Trojans and other malware e Antispyware databases signatures of known spyware e The Rootkit Detector searches for hidden malicious objects rootkits A rootkit is a program orset of programs used to hide malicious activities or attacks on the operating system A rootkit injects itself intothe operating system and disguises its existence and the existence of processes folders and registry keys that relate to other malicious programs described in the rootkit s configuration file The antimalware scanner compares the object it scans against records in its databases if a match is found it marksthe object as malicious This is a often described as signature based analysis In order to detect hidden resources allthe running processes and system hooks are checked In order to perform a scan it is necessary to e Include objects to be scanned in the protection scope Any of the following objects can be O 2011 SafenSoft 40 SafenSoft SySWatch v 3 6 scanned file system objects logical drives and files system memory bootable sectors etc By default all objects are included in the scope e Thescan results require a decision to be made regarding any the threats found that have not been neutralized Scans should be performed as follows Immediately after installing SafenSoft SysWatch no other a
49. he Additional windows to save changes 12 In the list of network rules uncheck the Allow checkbox next to the rule created to block connection to the specified network resource 13 In the list of network rules check the Confirm checkbox to be prompted each time SafenSoft SysWatch is going to restrict application s network activity 14 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Change Network rule 1 Choose Activity policy item in the context menu O 2011 SafenSoft 52 SafenSoft SySWatch v 3 6 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select an appropriate network rule from the list 4 Click the Edit button 5 Change the rule and click on the OK button to save changes 6 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Remove Network rule 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Select an appropriate network rule from the list 4 Click the Delete button 5 Click on the OK button to confirm deletion 6 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy
50. he context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the LPT Ports from the list and uncheck the Read Write Delete checkboxes 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Disable access to COM ports 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the COM Ports from the list and uncheck the Read Write Delete checkboxes 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Hide unrestricted resources 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the File System or System Registry protection scope from the drop down list 3 Uncheck the Show objects without access restrictions checkbox 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy O 2011 SafenSoft Settings 55 v Enable access to the clipboard by applications run under V I P O limited user 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Selec
51. in the Common rules tab to save new rule and to update Application control policy w Block access to a System registry object O 2011 SafenSoft 50 SafenSoft SySWatch v 3 6 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the System registry protection scope from the drop down list 3 Select a file system object in the tree and e Check the Read checkbox in order to protect the selected system registry object from being read by applications This will automatically preventing changing or deletion of the system registry object e Check the Write checkbox to protect the selected system registry object from new entry creation or alteration by applications e Check the Delete checkbox to protect the selected system registry object from being deleted 4 Right click in the Use for column to change the group of applications which will be affected by the activity control rule e All the rule will be applied to all applications e Trusted the rule will be applied to known trusted applications which are present in the system profile e Restricted the rule will be applied to potentially dangerous restricted or unknown applications not present in the system profile 5 Right click in the Use for column and choose Additional item 6 Change following settings in the Additional window e Users select the users to be c
52. ings 57 will automatically block changing and deletion of the TXT files e Check the Write checkbox to protect all TXT files from creation and altering by applications e Check the Delete checkbox to protect all the TXT files from being deleted 6 Right click in the Use for column to change the group of applications which will be affected by the activity control rule e All the rule will be applied to all applications e Trusted the rule will be applied to known trusted applications which are present in the system profile e Restricted the rule will be applied to potentially dangerous restricted or unknown applications which are not present in the system profile 7 Right click in the Use for column and choose Additional item 8 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default e Exceptions select applications to be excluded from the rule 7 Click on OK button in the Additional window to save changes 8 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Block access to file object 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the File system protection scope from the drop down list 3 Select a
53. ion Enabled e Applications Enabled e File system Enabled 2011 SafenSoft SafenSoft SySWatch v 3 6 e System registry Enabled e Network Enabled e Automatic processing of incidents Disabled e Password protection Disabled Actions w Disable protection 1 Right click on the application icon in the notification area to open context menu Then chose Settings to open application settings window 2 Uncheck Enable protection and click OK to disable protection of all controlled areas or 3 Uncheck appropriate control areas and click OK to disable protection of these areas only w Enable automatic processing of incidents Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 1 Check Enable automatic processing of incidents and click Configure 2 Under Incidents tab you can set automatic decisions on different incidents Following types of incidents are available e Launching unknown application attempt to launch any application which was not installed before system profile creation Exception is made for installers with certificate from trusted Certificate Authority e Launching unknown installer updater attempt to launch any installer without certificate from trusted Certificate Authority or with expired certificate e Control policy violation any violations of application activity policies
54. is not allowed by the SysWatch s control policy will be permitted if no malicious code was detected e Block operation which is not allowed by the SysWatch s control policy will be blocked e Block and Kill application operation which is not allowed by the SysWatch s control policy will be blocked and the process initiated this operation will be stopped You can also set additional parameters Delayed decision in case of an incident automatic decision will be made after the delay if no manual decision were made Remember decision on session in case of an incident automatic decisions on application s operations will be made until it will be stopped applicable for Control policy violation only Decide on the administering computer applicable for corporate products only Decision will be made by the administrator remotely via management console Admin Explorer w Enable password protection 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Check Enable password protection and click on Configure button 3 In the field Current Password enter the password you set before If you didn t set password for SafenSoft SysWatch leave Current Password field blank 4 Enter new password and confirm it in appropriate fields New password and Confirm new O 2011 SafenSoft 12 SafenSoft SySWatch v 3 6 password 5
55. k activity network rule from the list and uncheck the Allow checkbox next to it 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Devices The Devices protection scope coversthe creation of rules to control access to certain devices e USB devices e CD DVD drives e COM ports e LPT ports Actions w Deny access to USB devices and set exceptions 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the USB Devices from the list and uncheck the e Uncheck the Read checkbox in order to protect the selected USB device from reading by 2011 SafenSoft Settings 63 applications This will automatically block changing and deletion of the files and folders stores on the USB device e Uncheck Write checkbox to protect the selected the selected USB device from new files and folders creation and altering existing data by applications e Uncheck the Delete checkbox to protect files and folders stored on the selected USB device from being deleted 4 Click on Additional link 5 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default e Exceptions sel
56. k launch of unknown installer and remember this selection 1 In case of unknown installer launch is attempted SafenSoft SysWatch suspends the launch and pops up Alert window O 2011 SafenSoft 76 SafenSoft SySWatch v 3 6 6 1 2 If you don t know what installer is launching or don t trust it check Never run this application in future and click on the Block button to block the launch Unknown application launch Unknown application any application that is not present in the SafenSoft SysWatch system profile other than installers with a digital signature from a trusted Certification Authority When the launch of an unknown application is attempted SafenSoft SysWatch suspends the launch and pops up an Alert window The Alert window has 2 parts e Application description Information about the unknown application is shown name vendor antimalware scan result if antimalware scanning is supported by your SafenSoft SysWatch license e Availableactions Available actions that can be performed on the application are shown Execute in limited mode application will be launched in a sandbox Execute in install mode application and all its modules will be added to the system profile as Trusted Block block application from launching This option is recommended for any applications you don t trust or for unauthorized launch attempts by those applications If no decision is made within 5 minutes of th
57. led the following parameters are set by default Self protection Disabled e Remote control Disabled Check for updates Once a day Backup of the default program settings and application control policy is created If you create new control rules or change other SafenSoft SysWatch settings which prevent system from working correctly you can restore default settings In the Settings section of the Application Settings window you can e Backup restore program settings including application control policies e Enable Disable external control of the SafenSoft SysWatch system service self protection e Change settings for remote control of SafenSoft SysWatch available for corporate products only Actions w Save program settings to a file backup program settings 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Settings section of the main Application settings window O 2011 SafenSoft 22 SafenSoft SySWatch v 3 6 3 Click on Save button 4 In the Save As window choose the destination folder where the backup copy of all settings will be saved 5 Select file type xml or encrypted xmlc format and click on Save button 6 Click Ok button in the General settings for control and management window Restore program settings from a file 1 Right click on the application icon in the noti
58. lowing settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default e Exceptions select applications to be excluded from the rule 7 Click on OK button in the Additional window to save changes 8 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy O 2011 SafenSoft 60 SafenSoft SySWatch v 3 6 5 2 1 3 Network The Network protection scope coversthe creation of access rules for restricted applications with regard to network resources e Creating network connections e Transferring data to a remote computer e Receiving data from a remote computer A network rule includesthe following information Name specifiesthe name ofthe rule Direction specifies the direction of a network connection from the perspective of the connection originator e Inbound indicates thatthe connection has been initiated by the remote computer e Outbound indicates that the connection has been initiated bythe local computer e Inbound Outbound bidirectional coverage Protocol specifiesthe name ofthe protocol used to establish the connection e TCP e UDP e TCP UDP either protocol Local address specifies the IP address or range of IP addresses forthe local computer covers any available local network address Remote add
59. n 1 Right click on the program icon in the notification area to open the Context menu Then choose the Show program icon to uncheck it v Show program icon O 2011 SafenSoft 30 SafenSoft SySWatch v 3 6 3 2 11 3 2 12 3 3 1 Double click on the SafenSoft SysWatch shortcut at the desktop or launch it via Start menu 2 Click on Settings link at the Protection Status window of the Control panel 3 Check Show program icon in the taskbar notification area and click OK to apply changes Interface language e Interface language change the language of the SysWatch interface Actions w Change the interface language 1 Right click on the application icon in the notification area to open context menu Then choose Interface language item and select the language Exit e Exit shut down the SysWatch user interface Note that the protection continues to be in effect Actions w Close thel user interface 1 Right click on the application icon in the notification area to open context menu Then choose Exit item Note that the protection module will still be running Control panel The Control panel isthe main SafenSoft SysWatch window and containsthe following sections e Status displays protection status and allows protection settings to be changed Scan enables antimalware scanning to be activated and managed e Update enables the management of program updates and settings e Lic
60. n application and its modules e Trusted Applications O 2011 SafenSoft 80 SafenSoft SySWatch v 3 6 Applications added to the system profile and run outside the sandbox In the SysWatch Processes and applications window Trusted Applications are grouped under Known Trusted Applications e Unknown Applications Applications that have not been added to the system profile e Unknown Installer Installer with an expired digital signature or no digital signature from a trusted CA SafenSoft SafenSoft was founded in 2006 whenthe Proactive Computer Security department of StarForce a leader in the field of digital content copyright protection software decided to branch out Now SafenSoft is a leading developer of cutting edge information security software solutions developed fromthe ground up to provide proactive protection The SafenSoft approach to security has its roots in digital rights management where the goal is to preserve the integrity of the system rather than try to identify every malicious action attempted on that system The technology behind this process VIPO Valid Inside Permitted Operations is a unique and highly effective architecture that efficiently monitors and processes all system activity for unexpected and or unauthorized activities SafenSoft technology focuses on securing networks through system and application integrity coupled with profile based access controls The company s founders e
61. net knowledge base 1 Choose Help and support section of the Control Panel 2 Click the Search Internet knowledge base link to find information in SafenSoft s online knowledge base O 2011 SafenSoft 36 SafenSoft SySWatch v 3 6 v Send support request 1 To send a request to the Support service establish Internet connection 2 Choose Help and support section of the Control Panel 3 Click the Support request recommended link to send your request by e mail 4 Enter User Data and request description and click on Forward button 5 Check the data to be sent Settings and program info processes Windows system information Attach screenshot or file with the detailed description if it is necessary and click on Forward button 6 Click on Finish button to send the e mail to SafenSoft Support team v Send support request using web form 1 To send a request to the Support service establish Internet connection 2 Choose Help and support section of the Control Panel 3 Click the Send support request web form to open SafenSoft s website 4 Enter user data and request description and click on Send button Getting started SafenSoft SysWatch default settings provide good basic protection immediately after installation It is possible that the computer might have been infected before SafenSoft SysWatch was installed For this reason a full scan to detect and treat existing malware infections is p
62. nstallation files Step 4 In the Welcome to the Install Wizard for SafenSoft Sys Watch windows click Next Step 5 The License Agreement If you accept its terms click I accept the terms in the license agreement and then click the Next button The application installation will continue Step 6 Specify the folder in which SafenSoft SysWatch will be installed The default location C Program Files SnS Soft Safe n Sec Client You can specify another folder by clicking the Browse button and selecting the required folder in the standard folder selection window or by entering the path to it in the text entry field To proceed with the installation click the Next button Step 7 To start the actual software installation click the Install button Step 8 When you see the InstallShield Wizard Completed window click the Finish button to finish the installation process Application Interface The SafenSoftSysWatch is straightforward and easy to use This section describes the basic features in detail Notification area icon Context menu Control panel Notification area icon Immediately after installing SafenSoft SysWatch the application icon will appear in the Microsoft Windows taskbar notification area 2011 SafenSoft SafenSoft SySWatch v 3 6 3 2 This icon indicates the program s operational status It also shows the protection status and whether any basic functions are currently active
63. ntimalware was previously installed Any time the application activity control is disabled and external storage USB CD DVD etc has been used or an Internet connection has been established NOTE In order to be able to use the anti virus and antispyware databases you must be using a licensed copy of a version of SafenSoft SysWatch that includes antimalware For effective malware scanning the signature databases should be updated daily The simplest way to ensure this happens is to set up a daily automatic update Actions wv Run scan 1 Specify one or more objects in the Scan section of the Control panel 2 Click Run scan 3 To check the progress of the scan click the Details link Y Stop scan 1 Click the Stop scan button in the Scan section of the Control panel Note that the scan cannot be stopped until after initialization is complete 2 To examine the state of the scan click the Details link w View scan report 1 Click the Last scan link in the Scan section of the Control panel 2 Ascan report in text format will be opened v Manually select the action on detected threat 2011 SafenSoft Getting started 41 1 Open the Program properties window from the program s Context menu and select the Scan section or Click the Settings link in the Scan section of the Control panel 2 Set Select action when the scan finishes to view all detected threats or Ask action to make a decision
64. o open context menu Then choose Settings to open application settings window 2 Select View section of the main Application settings window 3 Uncheck the Show program icon in the taskbar notification area checkbox 4 Click on the OK button to apply changes w Change interface language 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open Application settings window 2 Select View section of the main Application settings window 3 Select language from drop down menu 4 Click on the OK button to apply changes 3 2 2 4 2 Reports When SafenSoft SysWatch is installed the following parameters are set by default e Enable reports All e Do not store reports longer than 14 days e Check for updates Once a day SafenSoft SysWatch creates following reports e System report contains data about the program s execution exceptions and warnings on activity policy violation A text file with the name system_date_time txt template is created each time the program starts e Update contains data regarding the update process A text file with the name update_date_time txt template is created each time an update process starts 2011 SafenSoft 24 SafenSoft SySWatch v 3 6 e Scan report contains data regarding the scanning process if antivirus scanner is included in the product A text file with the name scan date _time txt is created each time a
65. o the clipboard by applications run as restricted application under V I P 0 limited user 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Interprocess Interaction protection scope from the drop down list 3 Check Clipboard access checkbox 4 Click on the Additional link 5 Change following settings in the Additional window e Users select users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active all the time by default 6 Click on OK button in the Additional window to save changes 7 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy 5 2 2 Processes and applications The Processes and applications section inthe Application control policy window contains information about all applications run onthe computer during or afterthe SafenSoft SysWatch installation Name specifiesthe name of an application read from the version info of the application or the name of a file Status specifiesthe status of an application e Black indicates thatthe application is currently executing e Gray indicates thatthe application is currently not running Restrictions specifiesthe set of restrictions imposed onthe application 2011 SafenSoft Settings 67 e Custom applicable for a particular application e
66. on displays information about the last update and allows changes to be made to the update settings e SafenSoft SysWatch is out of date no update routine has ever taken place or more than 5 days have passed since the last update The program should be updated e SafenSoft SysWatch is up to date the program is up to date e Updates are unavailable the program has not been not activated or the license has expired In order to perform a program update a license key should be provided and the program activated or the license renewed e Last search for updates detailed information about the last search for available updates e Updates installed displays details about the last updates installed e Startup mode specifies when the update routine starts e Automatic the update routine should start automatically e On demand the update routine should start on demand e Settings enables the update settings to be changed Actions v Run update 1 Click the Run update button in the Update section of the Control panel 2 To view the status of the update process click the Details link O 2011 SafenSoft 34 SafenSoft SySWatch v 3 6 3 TXT file with the update report will be opened v View update report 1 Click the Installed updates link in the Update section of the Control panel 2 TXT file with the update report will be opened 3 3 4 License The License section displays information regarding the Sa
67. ons for termination Terminating system processes may lead to Windows restart 5 2 2 1 Application properties This section covers the following application properties General Execution conditions History Restrictions and permissions 2011 SafenSoft Settings 69 Actions w Change execution conditions 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the Execution conditions tab under restriction section you can set following parameters For the Trusted application Block application the application will be moved to Blocked Delete application from Trusted the application will be moved to Restricted For Restricted application Block application Trust to application the application will be moved to Trusted For Blocked application Allow application the application will be moved to Restricted Trust to application 4 Click on OK button in the Application properties window w Scan application for malicious code 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the General tab under Scanning section click the Scan link and select Scan from the context menu w Save application activity history 1 Choose Processes and applications item in the conte
68. ontrolled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default e Exceptions select the applications to be excluded from the rule 7 Click on OK button in the Additional window to save changes 8 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Create new Network rule O 2011 SafenSoft Settings 51 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Click the Add button 4 Enter a name of the network rule into the Name field 5 Specify the direction of data transfer from the Direction drop down list The default value is Inbound Outbound 6 Specify the network protocol from the Protocol drop down list The default value is TCP UDP 7 Define the Local IP address or an address range in the appropriate fields The default value is Any address 8 Define the Remote IP address or an address range in the appropriate fields The default value is Any address 9 Click on the OK button to save the rule 10 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default 11 Click on OK button in t
69. ordance with the documentation will protect your system against malware and other threats both external and internal If you have any comments or questions about the software please don t hesitate to send them to us at support safensoft com This manual is the property of SafenSoft and may only be used in conjunction with a legally acquired copy of the SafenSoft SysWatch software It is prohibited to reproduce make changes to or distribute electronically or by any other means this manual without prior written permission from the company and acknowledgement of copyright ownership All product names used in this manual are the trademarks or registered trademarks of SafenSoft or their respective owners SafenSoft reserves the right to change the contents of this manual without notice SafenSoft 2004 2011 All rights reserved What s new in SafenSoft SysWatch All SafenSoft products are subject to continuous improvement Listed and described below are the new and improved features included in SafenSoft SysWatch v 3 6 New Detection and prevention of any scripting language Script execution control launch Improved Automatic creation of trusted applications list in Auto adjust background mode minimizes the need for additional adjustments and enables out of the box protection Improved Alerts provide timely information about all endpoint Alerting system activity enabling effective reactions to att
70. ow 3 Choose Applications tab and check Remove information about the application does not run more than and set the number of days 4 Click on Ok button 3 2 2 1 3 Incidents In the Incidents tab you can set different variants of SafenSoft SysWatch decisions when appropriate incident appears Following types of incidents are available Launching unknown application attempt to launch any application which was not installed before system profile creation Exception is made for installers with certificate from trusted Certificate Authority Launching unknown installer updater attempt to launch any installer without certificate from trusted Certificate Authority or with expired certificate Control policy violation any violations of application activity policies by applications with adjusted activity restrictions access to file system registry etc Following decisions on Launching unknown application are available 2011 SafenSoft Application Interface 17 Execute in a limited mode launch application in a sandbox Scan and execute in a limited mode after scan and launch application in a sandbox if no malicious code was detected Execute in install mode launch application and add to system profile as trusted Scan and execute in install mode after scan and launch application if no malicious code was detected Add application to system profile as trusted Block prevent application f
71. oxing specially designated user account for potentially dangerous software provides system level privilege controls to block malicious software activity e Application activity control controls how different applications can access files and folders registry keys external devices and network resources User driven rules can be created to control application activity System protection is performed in accordance with application control policy which defines what rules will be applied to which applications SafenSoft SysWatch offers the following proactive protection settings Application control policy Protection scope Managing applications and processes O 2011 SafenSoft 46 SafenSoft SySWatch v 3 6 5 1 System Profile Creation In order to ensure the best possible protection SafenSoft SysWatch automatically creates and adjusts System Profiles on the first run If the computer is restarted or switched off before the end of the automatic adjustment it will continue from the point at which it was stopped when the system is powered back on After the automatic adjustment is successfully completed SafenSoft SysWatch Extended Mode is activated which enables you to e Classify all installed applications into trusted known and potentially harmful unknown categories e Execute unknown applications in a sandbox and automatically block any malicious activities e Reduce the need for user interaction wh
72. pdates will not be available we cannot guarantee that the antimalware scanner will continue to be effective afterthe SafenSoft SafenSoft SysWatch license key has expired To continue to getthe full value of the SafenSoft SysWatch protection and take advantage of new features and improvements the license key should be renewed promptly A week before the SafenSoft SysWatch license expires the program will notify you and thereafter each time the program is started up another reminder message will be displayed There are two ways to activate the program Automatic activation enter the serial number and the program will automatically validate the key and activate itself Manual activation you willneed to provide the serial number and hardware code to SafenSoft technical support by phone or e mail You will receivethe license key by phone or e mail so you can then manually activatethe program The serial number consists of a sequence of digits separated by hyphens which must be entered into a series of blocks with no spaces The serial number must be entered using the Roman alphabet lf the program was purchased in a box the serial number will be printed on the setup disk envelope Actions w Activate program 2011 SafenSoft 38 SafenSoft SySWatch v 3 6 4 2 1 Provide the license key in the Number filed and click on the Activate button 2 In case Internet connection is available the program will automatically
73. pplication control policy window Select the Devices protection scope from the drop down list 3 Select the LPT Ports from the list and uncheck the Read Write Delete checkboxes 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy w Disable access to COM ports 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Devices protection scope from the drop down list 3 Select the COM Ports from the list and uncheck the Read Write Delete checkboxes 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy Process Privileges The Process Privileges protection scope enables the reduction of Windows privileges for restricted processes and applications You can disable following Windows privileges forthe restricted processes and applications e Manage auditing and security logs e Back up files and directories e Restore files and directories e Change system time 2011 SafenSoft Settings 65 e Shut down system e Force shutdown from aremote system e Take ownership of files or other objects e Debug programs e Modify firmware environment values e Profile system performance e Profile single process e Increase scheduling priority e Load and unload device drivers e Create a pagefile e Adjust memo
74. ress specifiesthe IP address or a range of IP adresses forthe remote computer Actions w Create new Network rule 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Network protection scope from the drop down list 3 Click the Add button 4 Enter a name of the network rule into the Name field 5 Specify the direction of data transfer from the Direction drop down list The default value is Inbound Outbound 6 Specify the network protocol from the Protocol drop down list The default value is TCP UDP O 2011 SafenSoft Settings 61 7 Define the Local IP address or an address range in the appropriate fields The default value is Any address 8 Define the Remote IP address or an address range in the appropriate fields The default value is Any address 9 Click on the OK button to save the rule 10 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default 11 Click on OK button in the Additional windows to save changes 12 In the list of network rules uncheck the Allow checkbox next to the rule created to block connection to the specified network resource 13 In the list of network rules check the Confirm checkbox to be prompted each time SafenSoft Sys
75. rom launching Following decisions on Launching unknown installer updater are available Install launch installer updater and add all new modules to the system profile as trusted Scan and install after scan and launch installer updater if no malicious code was detected Add all new applications modules to system profile as trusted Install in a limited mode launch installer updater in a sandbox Scan and install in a limited mode after scan and launch installer updater in a sandbox if no malicious code was detected Block prevent installer from launching Following decisions on control policy violation are available Allow operation which is not allowed by the SysWatch s control policy will be permitted Scan and allow after operation which is not allowed by the SysWatch s control policy will be permitted if no malicious code was detected Block operation which is not allowed by the SysWatch s control policy will be blocked Block and Kill application operation which is not allowed by the SysWatch s control policy will be blocked and the process initiated this operation will be stopped You can also set additional parameters e Delayed decision in case of an incident automatic decision will be made after the delay if no manual decision were made e Remember decision on session in case of an incident automatic decisions on application s operations will be made until it will be stopped applicable
76. ry quotas for a process e Bypass traverse checking e Remove computer from docking station e Perform volume maintenance tasks e Impersonate a client after authentication e Create global objects Actions v Reduce Windows privileges for restricted processes and applications 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the Process Privileges protection scope from the drop down list 3 Select a privilege in the list and uncheck the checkbox at the State column 4 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy 5 2 1 6 Interprocess interaction The Interprocess Interaction protection scope allows restrictions for sandboxed processes to be disabled both the processes which are run under V I P O limited user for restricted applications and those are run under Safe n Sec limited user for trusted applications After SafenSoft SysWatch installation the following restrictions are set for the processes run under V I P O limited user e Clipboard access e Setting hooks e Access to the process and its threads from outside O 2011 SafenSoft 66 SafenSoft SySWatch v 3 6 For the processes run under Safe n Sec limited user restriction is set for trusted applications e Access to the process and its threads from outside Actions v Enable access t
77. s If the installer has a valid digital signature from a trusted Certification Authority it will be executed in Install mode automatically Actions w Allow launch of unknown installer 1 Launch the setup program for the new application 2 SafenSoft SysWatch suspends the launch and pops up an Alert window 3 Uncheck the Run in limited mode checkbox and click Execute All the installer modules will be added to the system profile as Trusted w Block launch of unknown installer and remember this selection 1 In case of unknown installer launch is attempted SafenSoft SysWatch suspends the launch and pops up Alert window 2 If you don t know what installer is launching or don t trust it check Never run this application in future and click on the Block button to block the launch Glossary e Blocked Applications Applications not permitted to launch In the SysWatch Processes and applications window they are grouped under Blocked Applications e Common Rules Rules for application activity control set up for a group of applications Trusted Restricted or All e Custom Rules Rules for application activity control set up for one particular application Custom rules are processed after Common rules so Custom Rules can apply exceptions to the Common rules e Extended Mode Fully functional protection mode based on the system profile and techniques used in Simple mode O 2011 SafenSoft Glossary 79
78. s into the operating system But when the system is restarted the malware will be unable to execute as it is not present in the System Profile thus preventing any damage or the transmission of infective code e Runin Install Mode In this case SafenSoft SysWatch registers all the new components installed by the application in the System Profile The application and its components are granted rights to start in future e BlockApplication O 2011 SafenSoft SafenSoft SySWatch v 3 6 1 3 By default only those modules that reside on a local hard drive are included in the System Profile Those executable modules distributed as application resources archives and the like will not be registered initially In order for such applications to work properly they should be launched them in Install Mode applications and all their components are considered safe and added to the System Profile System requirements Operating System Hardware requirements e Microsoft Windows XP Home Edition SP 3 e Intel Pentium x86 x64 300 MHz or e Microsoft Windows XP Professional Edition compatible SP 3 e 256 MB RAM or more e Microsoft Windows XP Professional x64 e At least 150 MB free disk space Edition SP3 e Microsoft Windows Vista Home Basic x86 e Intel Pentium x86 x64 800 MHz or x64 SP1 compatible e Microsoft Windows Vista Home Premium e 512 MB RAM or more x86 x64 SP1 e At least 150 MB free disk space e Mi
79. s that program updating is disabled e Read EULA display the end user license agreement e Renew Buy license links to the company s online store to purchase a new license key Actions O 2011 SafenSoft Application Interface 35 v Activate program 1 Provide the license key in the Number field and click the Activate button 2 If an Internet connection is available the program will automatically activate or 3 In case no Internet connection is available the program will suggest Manual activation option 4 You will be suggested to contact the Support service by phone and provide them with the serial number and hardware code 5 Type the license key obtained from the Support service in the Number field and click on Activate button v Renew license 1 Click the Buy license button if you use trial version or Renew License if you use commercial version You will be navigated to the company s online store 2 Choose an appropriate product in the store 3 3 5 Help and support The Help and support section describes the information needed to request technical support SafenSoft SysWatch version SafenSoft SysWatch update version Operating System and version Open help Search Internet knowledge base Request support via e mail Request support via web form Actions v Open help 1 Choose the Help and support section of the Control Panel 2 Click the Open help link w Search Inter
80. s the creation of rules controlling access to the Windows System Registry e Reading keys and values e Creating or changing keys and values e Deleting keys and values Actions w Block access to a System Registry object O 2011 SafenSoft Settings 59 1 Choose Activity policy item in the context menu 2 Switch to Common rules tab in the Application control policy window Select the System registry protection scope from the drop down list 3 Select a file system object in the tree and e Check the Read checkbox in order to protect the selected system registry object from reading by applications This will automatically block changing and deletion of the system registry object e Check the Write checkbox to protect the selected system registry object from new entries creation and altering by applications e Check the Delete checkbox to protect the selected system registry object from being deleted 4 Right click in the Use for column to change the group of applications which will be affected by the activity control rule e All the rule will be applied to all applications e Trusted the rule will be applied to known trusted applications which are present in the system profile e Restricted the rule will be applied to potentially dangerous restricted or unknown applications which are not present in the system profile 5 Right click in the Use for column and choose Additional item 6 Change fol
81. scan starts e Profile report contains data about system profile creation A text file with the name profile_date_time txt is recreated each time the profile is created or updated All the reports are saved to the C Documents and Settings All Users Application Data S N Safe amp Software Safe n Sec Reports for Windows XP C Users All Users S N Safe amp Software Safe n Sec Reports for Windows Vista Windows 7 Actions w Disable reports 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Reports section of the main Application settings window 3 Uncheck the Enable reports checkbox or 4 Uncheck a checkbox of a required type of reports SafenSoft SysWatch will stop creating reports of the specified type v Change how long reports are to be kept 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Reports section of the main Application settings window 3 Specify the number of days reports are to be kept in the corresponding field w Remove all reports 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 Select Reports section of the main Application settings window 3 Click the Clean up button and OK button in Delete reports window or
82. sses those access rules that deal with file system objects e Reading a file or a folder e Creating or Changing a file or a folder e Deleting a file or a folder Masks asterisks can be used to create activity control rules for the file system objects of the same type or with similar names Using masks you can easily filterthe data to be protected Actions w Block access to the objects on the CA drive using file mask 1 Choose Activity policy in the context menu 2 Switch to Common rules tab in the Application control policy window Select the File system protection scope from the drop down list 3 Expand Drive C tree and select No masks press Ins to add the mask parameter 4 To set access rules for the group of objects with similar names or with same extension Press Ins Insert button and enter the regular expression for the full file or folder name including path to the object Following masks can be used replaces any number of characters except replaces any number of characters 0 equivalent to the comparison with zero byte H H replaces 1 character 5 For example to set access rules for all files on the drive C which have log in the file name and have TXT extension Press Ins Insert button and add following mask log TXT For the created mask e Check the Read checkbox in order to protect all TXT files from reading by applications This 2011 SafenSoft Sett
83. st 2011 SafenSoft 48 SafenSoft SySWatch v 3 6 5 2 1 system profile Applications can be designated trusted manually by launchingthem in Install Mode Restricted applications are those applications that have been removed from Trusted manually or unknown applications that are not present inthe system profile The proactive protection technologies used in the application activity control allow the program to rapidly neutralize new threats before damage can occur SafenSoft SysWatch delivers effective protection and withoutthe need for signature updates Your computer will be protected against zero day threats and application vulnerabilities before security patches and application updates are released The Application control policy window consists of e Common rules e Processes and applications Protection scope The Common Rules tab in the Application control policy window contains information about the general rules imposed on all applications when resource files folder system registry etc or device access is detected These rules are grouped into following categories e File system e System registry e Network e Process privileges Devices Interprocess interaction A default set of rules is included with the program developed by SafenSoft SysWatch s experts as a result of analyzing malicious code behavior Actions w Block access to file object O 2011 SafenSoft Settings
84. t install or update software during an automatic adjustment as SysWatch will be unable to add new or changed software to the System Profile You can update or add new software to the System Profile by launching it in installation mode Actions w Cancel automatic adjustment 1 In the General Settings for Protection window open the System Profile tab while automatic adjustment is in progress 2 Click the Stop button 3 SafenSoft SysWatch will ask whether you wish to continue the automatic adjustment later or not v Update System Profile 1 In the General Settings for Protection window open the System Profile tab 2 For Scope select Disks to create the System Profile or add files and folders to be added to the existing profile 3 Click the Update button Application control policy System protection is provided according tothe application activity policy Application control policy a set of rules which determinesthe activity controls for each applications Activity control rule a set of conditions that describe an application s activities and actions that SafenSoft SysWatch takes when such activities occur Activity control rules can be applied tothe following groups of applications e All e Trusted e Restricted Trusted applications are identified basing on digital signature from a trusted Certification Authority presence in the Windows catalog CATalog file and the SafenSoft SysWatch application white li
85. t the Interprocess Interaction protection scope from the drop down list 3 Check Clipboard access checkbox 4 Click on the Additional link 5 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default 6 Click on OK button in the Additional window to save changes 7 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy v Decrease Windows privileges for restricted processes and applications 1 Choose Activity policy in the Context menu 2 Switch to Common rules tab in the Application control policy window Select the Interprocess Interaction protection scope from the drop down list 3 Select a privilege in the list and uncheck the checkbox at the State column 4 Click on Additional link 5 Change following settings in the Additional window e Users select the users to be controlled by the rule e Time set time periods for the rule to be active The rule will be active at all times by default 6 Click on OK button in the Additional window to save changes 7 Click on OK or Apply button in the Common rules tab to save new rule and to update Application control policy O 2011 SafenSoft 56 SafenSoft SySWatch v 3 6 5 2 1 1 File System The File system protection scope encompa
86. tup program that does not contain a digital signature from a trusted Certification Authority or that has an expired digital signature If an unknown installer launch is attempted SafenSoft SysWatch suspends the launch and pops up an Alert window The Alert window has 2 parts e Installer description Information about the unknown installer is shown name vendor antimalware scan result if antimalware scanning is supported by your SafenSoft SysWatch license e Available actions Available actions that can be performed on the installer are shown Execute the installer and all its modules will be added to the system profile as Trusted Execute with checked Run in limited mode installer will be launched in a sandbox all malicious activity will be blocked Block block installer from launching This option is recommended for the applications you don t trust or for unauthorized launch attempts by those applications Block with checked Never run this application in future block installer from launching and remember the choice If no decision is made within 5 minutes of the Alert window appearing the installer will be blocked automatically The Alert window may not appear if Automatic processing of incidents is enabled It is necessary to set Delayed Decision in the Incident management window for the Alert window to O 2011 SafenSoft 78 SafenSoft SySWatch v 3 6 appear in the case of security incident
87. uarantine folder In this instance it is recommended that the process be terminated and the object blocked Treat to treatthe object Delete todelete malicious objects Move to quarantine to move the malicious objects to a special quarantine folder The list of Detected Threats is available only after the scan is completed The list contains the entire history of all threats detected from the time SafenSoft SysWatch was installed Actions v Manually treat detected threats O 2011 SafenSoft Getting started 45 1 Check detected objects in the Detected Threats window 2 Click the Treat Delete or Move to Quarantine links to ensure the appropriate action is taken regarding the detected threat w Send detected threats to technical support for analysis 1 Select objects in the Detected Threats list 2 Select the Send command from the list s Context menu The program will create an e mail with the information required by SafenSoft technical support and open it in the default e mail client 3 Send the e mail 5 Settings SafenSoft SysWatch is designed to deliver operating system and application consistency by preserving the integrity of all system components SysWatch protection comprises e Application launch control protects all executable software on the system by detecting any unauthorized activation attempt and preventing the process from launching before damage can occur e Sandb
88. ules To reduce the number of alerts on unknown application launches and for more effective protection SafenSoft SysWatch carries out an automatic adjustmentthe first time it is run creating the basic System Profile After the automatic adjustment is successfully completed SafenSoft SysWatch activates the Extended Mode Unknown applications applications that are not included in the System Profile may be launched and activated only in a secure environment sandbox during the current operating system session and only if the application is launched by the authorized user of the system Only the authorized user may determine whether to add anew application tothe System Profile as a trusted application launching it in Install Mode Trusted applications that are potentially dangerous web browsers instant messengers and P2P clients for example can be launched in a sandbox To launch potentially dangerous applications with restrictions the Execution Conditions canbe changed inthe Application Properties window When the user attempts to launch anew application SafenSoft SysWatch issues a notification that the application is unknown and offers the following options e Execute Application The application is launched in a secure environment sanbox and allowed to load additional executable modules not present in the system profile If the application is malicious it will still be allowed to execute even to install additional component
89. ut down the SysWatch interface Note that the protection will continue to run 2011 SafenSoft Application Interface 9 3 2 1 SafenSoft SySWatch e SafenSoft SysWatch open main window Control panel Actions F Open Control panel 1 Right click on the application icon in the notification area to open context menu Then choose SafenSoft SysWatch to open control panel 3 2 2 Settings The Application settings window provides quick access to general SafenSoft SysWatch settings e Protection settings for application activity control learning mode and automatic incident processing e Scan settings for malware scanning and actions to be performed on malware detected e Update change application update settings e Settings system service control remote application control backup and restore settings preinitialize antivirus scanner e View change interface language and visibility of notification area icon e Reports report generation management e Notifications settings for application notifications Actions v Open Application settings window 1 Right click on the application icon in the notification area to open context menu Then choose Settings to open application settings window 2 SafenSoft SysWatch settings window will be opened 3 2 2 1 Protection When SafenSoft SysWatch is installed the following protection parameters are set by default e Enable protect
90. vity policy to open the application activity policies window O 2011 SafenSoft Application Interface 27 3 2 4 3 2 5 3 2 6 Processes and applications e Processes and applications open the settings for the Processes and applications window Actions v Open the Processes and applications window 1 Right click on the application icon in the notification area to open context menu Then choose Processes and applications to open settings for processes and applications window Scan e Scan select objects and start a scan for malicious code if antimalware scanner is available Actions v Run antimalware scan 1 Right click on the application icon in the notification area to open context menu Then choose Scan to select objects and start scan for malicious code 2 Check object to be scanned and click on Run scan button Update e Update download and install SysWatch updates if available Actions w Check for updates and install if available 1 Right click on the application icon in the notification area to open context menu Then choose Update item 2 Click on Run update button O 2011 SafenSoft 28 SafenSoft SySWatch v 3 6 3 Click on Details link while updating to view the report 4 Update report will be opened 3 2 7 Reports e Reports view system update scan and system profile creation reports Actions w View reports 1 Right click on
91. xperienced at first hand the increasing inability of signature based security solutions tokeep up withthe pace of malware development through their work with leading traditional antimalware developers and knew there had to be a better way The resulting SafenSoft products deliver both proactive protection against internal threats and comprehensive data leak prevention solution SafenSoft technology is used by some of the world s largest banks to protect their ATM networks SafenSoft SysWatch can deliverthe same security standards to your business and home computers Contacts Website http www safensoft com Technical support service support safensoft com sales safensoft com Sales Department Ec E ORECA O 2011 SafenSoft SafenSoft 81 2011 SafenSoft
92. xt menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the History tab check Save activity history checkbox 4 Check the Create backup copies of objects for further recovery checkbox to create backup copies of all file system and system registry objects which were changed or deleted by the application 5 Click on OK button in the Application properties window v Recover changed objects O 2011 SafenSoft 70 SafenSoft SySWatch v 3 6 1 Choose Processes and applications item in the context menu 2 Select an application from the list right click on it and choose the Application properties item 3 In the History tab select file system or system registry objects in the list and click the Restore link 4 Click on OK button in the Application properties window 5 2 2 1 1 General properties The General tabinthe Application properties window contains information about an application s executable file and the restrictions assigned to that file Path specifies the full path to the executable file of the application Size specifies the size of the file in bytes Created specifies the date and time when the file was created Modified specifies the date and time when the file was last changed Description provides the description text from the file s version info Product provides product s name read from the file s version info Ven
Download Pdf Manuals
Related Search