When setting up functional analysis, it is recommended to set the functional analysis criteria to achieve the maximum level of protection.
The Functional analysis criteria section contains information on the categories that you can set to protect your profile. You can choose a category based on the level of protection you need.
Categories of functional analysis criteria
1.Application launch.
▫Prevent running of applications signed by certificates known in Doctor Web as certificates for adware.
This criterion blocks the launch of applications that may distribute advertising.
▫Prevent running of applications signed by certificates known in Doctor Web as gray.
This criterion blocks the launch of applications signed by "gray" certificates. These certificates are often used to sign insecure applications.
▫Prevent running of applications signed by certificates known in Doctor Web as certificates for hacktools.
This criterion blocks the launch of applications that threaten the system security. It is recommended to set this criterion.
▫Prevent running of applications signed by fake/malformed certificates.
This criterion blocks the launch of malicious applications signed by invalid certificates. It is recommended to set this criterion.
▫Prevent running of applications signed by certificates known in Doctor Web as certificates for malware.
This criterion blocks the launch of applications signed by compromised certificates. It is recommended to set this criterion.
▫Prevent running of applications signed by revoked certificates.
This criterion blocks the launch of applications signed by stolen or compromised certificates. This criterion allows to prevent the launch of potentially malicious applications. It is recommended to set this criterion.
▫Prevent running of applications signed by self-signed certificates.
This criterion blocks unlicensed software that may be malicious.
▫Prevent running of unsigned applications.
This criterion blocks the launch of potentially malicious and untrusted applications of unknown origin.
▫Prevent running of Sysinternals utilities.
This criterion blocks the launch of Sysinternals utilities which are often used to compromise the system.
|
If the Allow running of system applications and Microsoft company applications flag is set in the Permissions section, Sysinternals utilities will run even if they are not allowed to run. |
▫Prevent running of applications from NTFS (ADS) alternate threads.
Applications from NTFS (ADS) alternate threads are often malicious. It is recommended to set this criterion.
▫Prevent running of applications from network and shares.
Running of applications from network and shares is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
▫Prevent running of applications from removable media.
Running of applications from removable media is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
▫Prevent running of applications from temporary folders.
Running of applications from temporary folders is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
▫Prevent running of Windows/Microsoft Store applications (only for Windows 8 and later).
This criterion blocks the launch of applications downloaded from Windows/Microsoft Store.
▫Prevent running of applications with double/non-typical extension.
This criterion blocks the launch of suspicious files with a non-typical extension (for example, *.jpg.exe).
▫Prevent running of bash shells and WSL applications (only for Windows 10 and later).
This criterion blocks the launch of bash command shells and WSL applications.
2.Modules load and execution. In this category, you can specify the operation mode:
▫Control all modules load and execution.
This mode is resource-intensive. It is recommended to specify the Control all modules load and execution mode only if you need enhanced protection.
▫Control modules load and execution in host applications.
This mode is less resource-intensive. The Control modules load and execution in host applications mode controls the operation of modules only in processes that can be used to compromise the system. In this case, malware can get into a system by pretending to be a system or trusted file. If there is no need for enhanced protection, use this mode instead of the Control all modules load and execution mode.
Recommendations for using the criteria of Modules load and execution are similar to the recommendations for using the Application launch criteria.
3.Launch of script interpreters.
▫Prevent running of CMD/BAT scripts.
This criterion blocks the launch of cmd and bat files.
▫Prevent running of HTA scripts.
This criterion blocks the launch of HTA scripts. Such scripts can process malicious scripts and download executable files to your computer.
▫Prevent running of VBScript/JavaScript.
This criterion blocks the launch of applications written in the VBScript and JavaScript languages. Such applications can process malicious scripts and download executable files to your computer.
▫Prevent running of PowerShell scripts.
This criterion blocks the launch of scripts written in the PowerShell scripting language. Such scripts can process malicious scripts and download executable files to your computer.
▫Prevent running of REG scripts.
This criterion blocks the launch of registry script files with the reg extension. These registry script files can be used to add or change values in the registry.
▫Prevent running of scripts from NTFS (ADS) alternate threads.
Script from NTFS (ADS) alternate threads are often malicious. It is recommended to set this criterion.
▫Prevent running of scripts from network and shares.
Running of scripts from network and shares is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
▫Prevent running of scripts from removable media.
Running of scripts from removable media is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
▫Prevent running of scripts from temporary folders.
Running of scripts from temporary folders is an atypical scenario which may threaten the system security. It is recommended to set this criterion.
4.Drivers loading.
▫Prevent loading of unsigned drivers.
This criterion blocks loading rootkits and bootkits. This criterion protects against exploiting system and software vulnerabilities.
This criterion is recommended for 64-bit OSes. If there are no unsigned drivers in the system, you can also use the criterion for 32-bit OSes.
▫Prevent loading of vulnerable driver versions of popular software.
This criterion blocks loading of vulnerable drivers versions of popular software.
|
The prohibition on downloading vulnerable drivers versions of popular software cannot be blocked by exclusions. |
Other recommendations for using the criteria of Drivers loading are similar to the recommendations for using the Application launch criteria.
5.MSI packages installation.
Recommendations for using the criteria of MSI packages installation are similar to the recommendations for using the Application launch criteria.
6.Executable files integrity.
▫Prevent creating new executable files.
This criterion blocks attempts to create new executable files.
▫Prevent modification of executable files.
This criterion blocks attempts to modify executable files.
Criteria of the Executable files integrity category are only used in systems running in a trusted execution environment. In such systems, all processes are controlled by an administrator (for example, ATMs and other systems).
When using criteria of the Executable files integrity category in other systems, the behavior is unpredictable. In this case, the risk of failure of the station is high.
|
Criteria of the Executable files integrity category cannot be blocked by the rules. |