User's FAQ

[Lisandro]

avast!, dial-up / DSL connection and Internet Explorer

1. Right-Click the 'a' blue icon in the system tray.
2. Run avast! antivirus.
3. Right-Click the skin and choose Settings.
4. Go to Update (Advanced) tab.
5. Select the way you connect the Internet (dial-up or DSL).
6. Go to your browser and configure 'Never dial a conection' or 'Use the default connection' or anything you want.
7. Boot.

[Lisandro]

avast! and Task Manager

The 'Page faults' into the Windows Task Manager (a column that could be shown there) are caused by almost anything a program does. A 'page fault' is a process in which a piece of memory is being recalled from the paging file. Since ashServ.exe is polling the system (checking the status) in pretty short intervals (couple of seconds), if you have long uptimes, you'll see a huge number of page faults. They accumulate and the number could get a 'million' of page faults. It's not ideal but it's really not a problem either. The programmers try to push this value to minimum...

For memory usage there are two values. Actually, their names are very misleading. In fact they correspond to the 'Private Bytes' (the VM Size) and 'Working Set' (the Mem Usage) NT performance counters. This is what MS says about these values:

Private Bytes (Task Manager's "VM Size"): Private Bytes is the current size, in bytes, of memory that this process has allocated that cannot be shared with other processes. In other words, this is the memory the program has allocated (therefore, this is quite reasonable value to compare, and it normally does not fluctuate much).

Working set (Task Manager's "Mem Usage"): Working Set is the current size, in bytes, of the Working Set of this process. The Working Set is the set of memory pages touched recently by the threads in the process. If free memory in the computer is above a threshold, pages are left in the Working Set of a process even if they are not in use.  When free memory falls below a threshold, pages are trimmed from Working Sets. If they are needed they will then be soft-faulted back into the Working Set before leaving main memory.. This value really has a meaning only to the developers. It has nothing to do with real memory consumption, just 'address space consumption'). There are programmatic ways how to artificially lower the Working Set value, and there are programs that use these techniques, but it's stupid to use them just to make users think that our application is taking less memory than it's actually taking, not to mention the fact that tampering with the working set can have severe performance consequences...

[Lisandro]

Suggested packers extension list on the providers

Scan files on open:
BAT,CHM,CMD,COM,CPL,CRT,DLL,EXE,HTA,HTM*,INF,INS,ISP,JS,JSE,LNK,MSC,MSG,MSI,OCX,PIF,PIF,REG,SCR,SCT,SHB,SHS,SYS,VBE,VBS,WS?,WSC,WSF,WSH

Scan created/modified files:
...

Archive means compressed files such as ACE,ARC,ARJ,BZIP2,CAB,COM,ECE,EXE,GZ,GZIP,LHarc,MIME,PST,RAR,TAR,WinExec,ZIP,ZOO, etc.
If Scan archive files is set, avast! scans even the content of these files. But that means that it has to unpack these file (temporarily, of course). This unpacking process may take quite a lot of time.

Do not to put archive files into these boxes - it may have very bad impact on the system performance - not speaking of the fact that the archived files don't be detected anyway unless you enable the corresponding packers in the resident protection task (Enhanced User Interface only). The archive scanning will treat them as normal binary files and will NOT scan actual content.

Note Normal/High Sensitivity was indeed changed in avast 4.5: Normal is now as High before (only selected extensions on open and copy/modify).
High now checks all files regardless of extension (on open and copy/modify).

[Lisandro]

Using Group Policy Editor To Block E-mail Attachments

One of the most common ways in which viruses are spread is through e-mail attachments. Users can unknowingly open an attachment that appears to be safe but, before you know it, your computer and possibly your network are infected with some type of virus. You can configure Outlook Express to block attachments that may contain viruses using the Group Policy editor. To do so, open the run command and type gpedit.msc. This opens the Group Policy editor. Navigate to the following folder: User Configuration/Administrative Templates/Windows Components/Internet Explorer. With the Internet Explorer folder selected, you should see an option in the right pane called Configure Outlook Express. Double click this option, select the Enabled option, and place a check beside Block attachments that could contain a virus. Now your users will be unable to open any attachments that could contain a virus. (credits to Diana Huggins)

[Lisandro]

Crashes and MDAC drivers

Specially on Win98SE, ashsimpl.exe (Simple User Interface) could cause an invalid page fault in module <unknown> at 0000:1b10f3dd if the user does not have the updated Microsoft Jet Drivers.
You may try to download and install the latest MDAC (http://www.microsoft.com/downloads)

[Lisandro]

Restart your system in safe mode

Use the F8 method only if Windows XP is the only operating system installed on your computer.

1. Start Windows, or if it is running, shut Windows down, and then turn off the computer.

2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.

3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.

4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Once in safe mode, you screen shouldn't be frozen.

[Lisandro]

Mail Scanner

To use and configure more than one application to use the ports 25, 110 and 143 of your computer (for instance, a spam killer). If you have installed another program that uses these ports as well, it is necessary to change the port values for one of them. In the case of Mail scanner, you can do this by setting the items SmtpListen, PopListen and ImapListen. For example: SmtpListen=127.0.0.1:26, PopListen=127.0.0.1:111, ImapListen=127.0.0.1:144. Consequently, it is necessary to set the same port values in your mail program. If you wish the Mail scanner to cooperate with this another SMTP/POP3/IMAP - proxy/server-type program that is installed on your computer, it is necessary to properly set the items DefaultSmtpServer, DefaultPopServer and DefaultImapServer. For example, if you want to configure your system so that the Mail scanner "sits between" your mail program and a spam killer running on the same computer, configure items Listen as above and add: DefaultSmtpServer=127.0.0.1:25, DefaultPopServer=127.0.0.1:110.

Known problems: If your e-mail program does not support authentication (logging in) on SMTP server, or it cannot set a different login name for SMTP than for POP (e.g. Eudora), the Mail scanner will not be able to send your e-mails through multiple SMTP servers. In that case, use the UseDe-faultSmtp=1 setting; your e-mails will be sent through a single SMTP server only, just as in avast! version 4.0.235 and earlier. If the internet connection is too slow or the message being sent is too long, it is possible that the period your mail programs waits for the response, expires. A mail program that automatically disconnects after the times elapsed is not able to send such a message. This error will not be corrected, due to the characteristics of the SMTP protocol. It is necessary to set the interval to the highest possible value. When downloading a long message from a POP3 server, messages about timeout expiration should be eliminated. But it is still recommended to set this interval to the highest possible value, too. If your mail program downloads the message text and attachments separately from IMAP server (e.g. Eudora), no additional information will be put into the header or the text of the message. The checkbox "Insert note into clean message" on the "IMAP" page of the Internet Mail configuration will not work in that case. The Mail scanner does not support SSL (TLS) connections.

[Lisandro]

Protocols (Thanks to Eddy)  

IMAP (Internet Message Access Protocol) is a standard protocol for accessing e-mail from your local server. IMAP (the latest version is IMAP Version 4) is a client/server protocol in which e-mail is received and held for you by your Internet server. You (or your e-mail client) can view just the heading and the sender of the letter and then decide whether to download the mail. You can also create and manipulate multiple folders or mailboxes on the server, delete messages, or search for certain parts or an entire note. IMAP requires continual access to the server during the time that you are working with your mail.

A less sophisticated protocol is Post Office Protocol 3 (POP3). With POP3, your mail is saved for you in a single mailbox on the server. When you read your mail, all of it is immediately downloaded to your computer and, except when previously arranged, no longer maintained on the server.

IMAP can be thought of as a remote file server. POP3 can be thought of as a "store-and-forward" service.

POP3 and IMAP deal with the receiving of e-mail from your local server and are not to be confused with Simple Mail Transfer Protocol (SMTP), a protocol used for exchanging e-mail between points on the Internet. Typically, SMTP is used for sending only and POP3 or IMAP are used to read e-mail.

[Lisandro]

DDOS Thanks to Eddy  

On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder.

[Lisandro]

MALWARE Thanks to Eddy  

Malware (short for "malicious software") is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission.

[Lisandro]

ADWARE Thanks to Eddy  

1) Generically, adware (spelled all lower case) is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.

Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center.

2) AdWare is also a registered trademark that belongs to AdWare Systems, Inc. AdWare Systems builds accounting and media buying systems for the advertising industry and has no connection to pop-up advertising, spyware, or other invasive forms of online advertising.

[Lisandro]

SPYWARE Thanks to Eddy  

Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.

Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared. However, spyware is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window. adware, software designed to serve advertising, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information.

The cookie is a well-known mechanism for storing information about an Internet user on their own computer. However, the existence of cookies and their use is generally not concealed from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site stores information about you in a cookie that you don't know about, the cookie mechanism could be considered a form of spyware.

[Lisandro]

WORM Thanks to Eddy  

In a computer, a worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

This term is not to be confused with WORM (write once, read many).

[Lisandro]

TROJAN Thanks to Eddy  

In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan horse was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus.

The term comes from Greek mythology about the Trojan War, as told in the Aeneid by Virgil and mentioned in the Odyssey by Homer. According to legend, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city.

[Lisandro]

VIRUS Thanks to Eddy  

In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you've received is usually unaware that it contains a virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are benign or playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm.

Generally, there are three main classes of viruses:

File infectors. Some file infector viruses attach themselves to program files, usually selected .COM or .EXE files. Some can infect any program for which execution is requested, including .SYS, .OVL, .PRG, and .MNU files. When the program is loaded, the virus is loaded as well. Other file infector viruses arrive as wholly-contained programs or scripts sent as an attachment to an e-mail note.

System or boot-record infectors. These viruses infect executable code found in certain system areas on a disk. They attach to the DOS boot sector on diskettes or the Master Boot Record on hard disks. A typical scenario (familiar to the author) is to receive a diskette from an innocent source that contains a boot disk virus. When your operating system is running, files on the diskette can be read without triggering the boot disk virus. However, if you leave the diskette in the drive, and then turn the computer off or reload the operating system, the computer will look first in your A drive, find the diskette with its boot disk virus, load it, and make it temporarily impossible to use your hard disk. (Allow several days for recovery.) This is why you should make sure you have a bootable floppy.

Macro viruses. These are among the most common viruses, and they tend to do the least damage. Macro viruses infect your Microsoft Word application and typically insert unwanted words or phrases.

The best protection against a virus is to know the origin of each program or file you load into your computer or open from your e-mail program. Since this is difficult, you can buy anti-virus software that can screen e-mail attachments and also check all of your files periodically and remove any viruses that are found. From time to time, you may get an e-mail message warning of a new virus. Unless the warning is from a source you recognize, chances are good that the warning is a virus hoax.

The computer virus, of course, gets its name from the biological virus. The word itself comes from a Latin word meaning slimy liquid or poison.