Preventive Protection

On this page, you can configure Dr.Web reaction to such actions of other programs that can compromise security of your computer and select protection level against exploits.

Figure 35. Preventive Protection settings

At that, you can configure a separate protection mode for particular applications or configure a general mode whose settings will be applied to all other processes.

To configure the general mode, select it from the Operation mode list or click Change parameters of suspicious activity blocking. As a result of the second action, a window opens providing you with details on each mode and editing options. All changes are saved in the User mode. In this window, you can also create a new profile for saving necessary settings.

To create a new profile

1.Click Add.

2.In the open window, enter a name for the new profile.

3.Look through default settings and, if necessary, edit them.

To configure preventive protection settings for particular applications, click Change access parameters for applications. In the open window, you can add a new rule or edit or delete an existing rule.

To add a rule

1.Click Add.

2.In the open window, click Browse and specify the path to the application executable file.

3.Look through default settings and, if necessary, edit them.

To edit an existing rule, select it from the list and click Edit.

To delete an existing rule, select it from the list and click Remove.

For more information about settings of each operation mode, refer to the Preventive Protection Level section.

Preventive protection level

In the mode Optimal mode , which is set by default Dr.Web disables automatic changes of system objects, whose modification explicitly signifies a malicious attempt to harm the operating system. It also blocks low-level access to disk and protects the HOSTS file from modification.

Only actions by the applications that are not trusted, are blocked.

If there is a high risk of your computer getting infected, you can increase protection by selecting the Medium. In this mode, access to the critical objects, which can be potentially used by malicious software, is blocked.

Note

Using this mode may lead to compatibility problems with legitimate software that uses the protected registry branches.

When required to have total control of access to critical Windows objects, you can select the Paranoid. In this mode, Dr.Web also provides you with interactive control over loading of drivers and automatic running of programs.

With the User-defined mode, you can set a custom protection level for various objects.

Protected object

Description

Integrity of running applications

This option allows detection of processes that inject their code into running applications. It indicates that the process may compromise computer security. Processes that are added to the Exclusions are not monitored.

Integrity of user files

This option allows detection of processes that modify user files with the known algorithm, which indicates that the process may compromise computer security. Processes that are added to the Exclusions are not monitored.

HOSTS file

The operating system uses the HOSTS file when connecting to the Internet. Changes to this file may indicate virus infection.

Low level disk access

Block applications from writing on disks by sectors while avoiding the file system.

Drivers loading

Block applications from loading new or unknown drivers.

Critical Windows objects

Other options allow protection of the following registry branches from modification (in the system profile as well as in all user profiles).

Image File Execution Options:

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

User Drivers:

Software\Microsoft\Windows NT\CurrentVersion\Drivers32

Software\Microsoft\Windows NT\CurrentVersion\Userinstallable.drivers

Winlogon registry keys:

Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit, Shell, UIHost, System, Taskman, GinaDLL

Winlogon notifiers:

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Windows registry startup keys:

Software\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, LoadAppInit_DLLs, Load, Run, IconServiceLib

Executable file associations:

Software\Classes\.exe, .pif, .com, .bat, .cmd, .scr, .lnk (keys)

Software\Classes\exefile, piffile, comfile, batfile, cmdfile, scrfile, lnkfile (keys)

Software Restriction Policies (SRP):

Software\Policies\Microsoft\Windows\Safer

Browser Helper Objects for Internet Explorer (BHO):

Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Autorun of programs:

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

Software\Microsoft\Windows\CurrentVersion\RunOnceEx\Setup

Software\Microsoft\Windows\CurrentVersion\RunServices

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Autorun of policies:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Safe mode configuration:

SYSTEM\ControlSetXXX\Control\SafeBoot\Minimal

SYSTEM\ControlSetXXX\Control\SafeBoot\Network

Session Manager parameters:

System\ControlSetXXX\Control\Session Manager\SubSystems, Windows

System services:

System\CurrentControlXXX\Services

Note

If any problems occur during installation of important Microsoft updates or installation and operation of programs (including defragmentation programs), temporarily disable Preventive Protection.

 

If necessary, you can configure desktop and email notifications on Preventive Protection actions.

Exploit prevention

This option allows to block malicious programs that use vulnerabilities of well-known applications. From the corresponding drop-down list, select the required level of protection.

Protection level

Description

Prevent unauthorized code from being executed

If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, it will be blocked automatically.

Interactive mode

If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, Dr.Web will display an appropriate message. Read the information and select a suitable action.

Allow unauthorized code to be executed

If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, it will be allowed automatically.