Overview of New Features in Maintenance Pack 1 for KAV6 and KIS6

Note:

The information on this page refers to older versions of our home user products. To see our latest products, please see our Home User Products Section.

Overview of New Features Included in Maintenance Pack 1 (MP1) for Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0

Maintenance Pack 1 for Kaspersky Anti-Virus (KAV) 6.0 and Kaspersky Internet Security (KIS) 6.0 includes not only fixes for the main errors identified during the first six months since the product’s official release, but also a number of new features and improvements, which will be described in this overview.

Protection technologies

An important capability introduced in MP1 is extended support for the 64-bit version of Windows XP. Now more of the solution’s components, including Mail Anti-Virus, Web Anti-Virus, Anti-Hacker, Anti-Spam and Anti-Phishing, are fully functional on computers running under this operating system (Pro-Active Defense still is not compatible).

KIS/KAV 6.0 MP1 has been tested by start64!, an independent group that specializes on testing software under 64-bit versions of Windows and the results are available online. The KIS version tested was an intermediate beta (build 6.0.1.374), but all results of the testing are applicable to the official MP1 version (build 6.0.1.411). The test results demonstrated the following:

1. During antivirus scanning the program correctly recognizes and scans System32 and Syswow64 folders (the latter is the system folder for 32-bit applications launched under 64-bit operating systems);
2. The eicar test virus is successfully detected in the System32 folder, which is the system folder for 64-bit applications;
3. The eicar test virus is successfully detected by the Web Anti-Virus during an attempt to download it from the eicar website;
4. If an attempt is made to receive an email with the eicar test virus in an attachment, first the Mail Dispatcher window is displayed and then the Mail Anti-Virus module detects the virus and offers to remove the infected attachment;
5. The Anti-Hacker component tracks the network activity of applications, and the Network Monitor component correctly displays various details of network connections, open ports and the network traffic;
6. The Anti-Banner component successfully blocks advertising information on a test website.

The website’s team concluded that “At present, the software offers a unique protection package for x64.”

Another important feature introduced in the program is detection of keyloggers and other keyboard spy programs by the Proactive Defense module. Keyloggers are programs that record information about keys pressed by the user, usually without the user’s knowledge. The principal purpose of such programs is to obtain confidential information entered by the user, including passwords for various programs and services, PIN codes etc. This information is usually written to the hard drive and then secretly transferred to the malicious program’s author via email or some other method. Lately the number of new keyloggers and other malicious programs that include keyboard interceptor functions has been steadily growing. The number of methods used to capture keystrokes is also increasing, from simply polling the keyboard to writing keyboard filter drivers. The anti-keylogger subsystem implemented in MP1 for KIS/KAV 6.0 is able to proactively detect almost all known keylogger types. Specifically, it detects all keyloggers mentioned in the well-known article, Anti-Spyware: Efficiency of the Means of Defense, by Mykola Krasnostup and Dennis Kudin.

MP1 also introduces an extended set of verdicts that can be returned by the proactive defense module based on analyzing the behavior of running programs. Specifically, new verdicts include “Hidden data sending” and “Private data and passwords access”.

The former verdict is returned when a malicious program attempts to use a special mechanism of interaction with Internet Explorer to send data on behalf of the browser. This enables it to “dodge” the personal firewall installed in the system because firewall rules usually allow Internet Explorer to send data.

The latter verdict alerts the user to a malicious program’s attempt to collect such personal data as ICQ passwords etc. Such malicious programs are categorized by Kaspersky Lab as Trojan-PSWs. A notorious example of this class of program is the LdPinch Trojan; new versions of this Trojan keep appearing on the Internet.

Below are examples of alerts displayed by the product when one of the latest versions of LdPinch is launched (the File Anti-Virus module was disabled during testing):

Finally, MP1 implements scanning of data transferred via secure (SSL) connections. This capability is available in all network-oriented components of the product: Mail Anti-Virus, Web Anti-Virus, Anti-Spam and Anti-Spy. More and more programs use SSL connections, from bank clearing systems to email systems (such as gmail).

The advantages of secure connections are obvious. What is not as obvious, however, is that data transferred via such connections can also include malicious code, detection of which by existing mail and web traffic scanning subsystems may be impossible even if the relevant virus signatures have already been added to their antivirus databases. There are two ways of addressing this issue. One is to use mail client and browser plugins to scan the traffic. This enables the antivirus program to scan encrypted traffic because plugins usually process data after it has been decrypted. However, not every email client and web browser has an application programming interface (API) for developing such plugins. Specifically, Outlook Express, a widespread email client, does not have an API. The other method – scanning encrypted traffic on the fly using a special algorithm – is implemented in MP1 for KIS/KAV 6.0.

Several other new technologies that help protect the computer against various threats have also been included in MP1.

The list of batch rules used by the Anti-Hacker component for known malicious programs has been extended. However, these rules are disabled by default, because they use a number of ports, blocking which may result in network access problems for some network applications. Due to this, it is recommended that these rules be configured only by advanced users, after analyzing the list of network applications and the network configuration on a particular computer.

Anti-Banner, a module in the Anti-Spy component that blocks advertising content on web pages, previously detected such content only based on lists updated from Kaspersky Lab websites or manually defined by the user. A heuristic analyzer has been added in the Anti-Banner module in MP1. Now the module can detect banners that are not listed, so more advertising banners are blocked.

The last protection technology discussed in this overview is a technology that protects the Windows Task Manager against injection of code from malicious dynamic-link libraries (dll). More and more malicious programs are using rootkit technologies conceal their files, registry entries and active processes from the user and antivirus programs. As the Task Manager is the standard tool for viewing the list of active processes in all of the latest Windows versions injecting a malicious library into the Task Manager process and using it to distort the data displayed by the Task Manager in order to hide active malicious processes is a method that has gained considerable popularity. The Proactive Defense module in MP1 is now able to protect the Task Manager, thereby preventing malicious programs from distorting the list of processes. This technology effectively combats Hacker Defender, one of the most widespread rootkits in the world, by preventing it from hiding its process hxdef100.exe in Task Manager.

Improvements in usability

In addition to technologies that directly affect the computer’s protection, MP1 includes a number of new features that make using the program easier to use.

Selection of the file scanning mode has been added in the File Anti-Virus component. Four modes are available: smart mode, scanning of files when they are opened or modified, scanning only when files are accessed, or scanning only when files are executed. The smart mode, in which the decision whether to scan an object is made based on analyzing the operations performed on it, is enabled by default. For example, when the user is working with a Microsoft Office document, the file is scanned when it is first opened and when it is last closed, while all intermediate operations related to saving the file are excluded from scanning.

One of the key features in Kaspersky Lab 6.0 products is the technology of pausing a running antivirus scanning task if user activity is increased. This enables users to work normally even if the task of scanning the computer, which may take up considerable time and system resources, is running in the background. In previous releases this technology could be managed only globally for all scanning tasks at the same time. However, the experience of using the product has shown that for minor scanning tasks it is best to avoid using this technology to enable scanning tasks to finish as quickly as possible. Therefore, in MP1 in addition to controlling the global setting the user can also control the use of this technology to pause individual antivirus scanning tasks.

If the user is doing work that requires significant operating system resources, pausing the operation of the File Anti-Virus component may be required. MP1 introduces a feature that can pause the component’s operation during a specified time period or while certain programs are running.

The File Anti-Virus reports now specify the name of the user and computer from which all files are accessed, including infected objects. This may be useful on a home network in which a computer hosts shared resources for which several users have write access permissions. In the event of an attempt to write an infected file to such a resource the owner of the resource will easily determine from which remote computer the attempt was made.

In earlier releases, when it was necessary to scan objects in the product’s quarantine or backup storage, the user had to enter the path to these folders, which can be sufficiently long. Also, scanning tasks had to be reconfigured after these folders were moved. In MP1, objects corresponding to backup storage and quarantine have been added to the tree of objects that can be selected for scanning.

On home networks and those connecting several households it is common for only one computer on the network to have Internet access and therefore be able to update product databases directly from the Kaspersky Lab update server, while other computers cannot access the Internet, e.g., to save traffic. For such situations, another helpful innovation has been introduced in MP1: the user with Internet access can copy threat signatures downloaded from the Kaspersky Lab update server to a local folder. This makes it possible to create a local update mirror, after which update tasks on other computers on the home network can be configured to update signatures from a specified shared source on the local network.

Another useful feature available in MP1 is support for using system environment variables when selecting objects to be scanned and trusted applications. As a result, the user needn’t worry about having to change the product’s configuration if an environment variable changes (e.g., if the Program Files folder is moved to a different drive). It is also possible to export settings for use on other computers with potentially different hard drive configurations.

The last new feature described in this overview is support for recording any product events in the standard Windows event log. This feature complements the product’s existing reporting and notification system and can be helpful, e.g., for diagnosing problems related to interaction between several applications (in this case the system log will combine events from all applications in one report in the chronological order).

Summary

In this overview we have discussed all the main new features implemented in Maintenance Pack 1 (MP1) for Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0. Overall, the maintenance pack significantly improves the computer’s protection and facilitates management of the product. Also, extended support for the 64-bit version of Windows makes installation of the Maintenance Pack easier for users who use this Windows version.

Download

The Maintenance Packs for KAV 6.0 and KIS 6.0 can be found at the following links:

• Kaspersky Anti-Virus 6.0
• Kaspersky Internet Security 6.0