Using drweb-nss-qcontrol

To manage quarantined files and search in the directory, use drweb-nss-qcontrol utility. On its startup, the utility connects to Dr.Web Agent and receives its configuration if the --agent command line parameter is not empty.

drweb-nss-qcontrol supports the following command line parameters:

•-h [ --help ] – outputs information about supported command line parameters

•-v [ --version ] – outputs version number

•-l [ --level ] <level> – verbosity level for logging information (logging settings are specified in the [Logging] configuration file section, as for NSS Daemon)

•-i [ --ipc-level ] <level> – verbosity level for logging IPC library information

•--log-filename <filename> – name of the log file

•--agent <address> – Dr.Web Agent address used by other components to receive configuration. If not specified, a component does not request its configuration from Dr.Web Agent and operates with the command-line parameters and defaults

•--timeout <time> – maximum time to wait for reply from Dr.Web Daemon and configuration from Dr.Web Agent.

•--show <regexp> – outputs general information on files in Quarantine. <regexp> specifies a regular expression for names of required files. Information is displayed in the following format:

NAME: original=[PATH] size=SIZE put_time=TIME viruses=[VIRUSES] code=CODE mode=ATTRIBUTES

where:

•NAME – name of the file in Quarantine

•PATH – full path to the original file location

•SIZE – file size in bytes

•TIME – local time when the file was quarantined

•VIRUSES – comma-separated list of all viruses detected in the file

•CODE – Dr.Web Daemon return code in hexadecimal form

•ATTRIBUTES – original file attributes in octal form (the attributes are reset when restoring the file).

Saved NSS attributes are not output.

Example:

eicar.comf8JRCG: original=[/media/nss/VOLENC/eicar.com] size=105\put_time=2010-Aug-26 14:08:10 viruses=[infected with EICAR Test File\NOT a Virus!)] code=0x20 mode=0100666

•--remove <regexp> – removes files matching the specified regular expression from the Quarantine directory.

Example:

drweb-nss-qcontrol --remove .

As a result, all files will be removed from the Quarantine directory.

•--restore <regexp> – attempts to restore files matching the specified regular expression to their original location (or to another directory if --restore-dir  command line parameter is specified). All file attributes are restored. File attributes supported only by NSS are restored if the target directory is located in the NSS volume.

If a file to be restored is infected, specify the path to its original location in the ExcludedPaths parameter in the [NSS] section and ensure that it is not specified in IncludedPaths parameter. Otherwise, NSS Daemon immediately detects the infected file and returns it to the Quarantine directory. If after a virus database update a quarantined file is considered not infected, you can restore the file to its original location by specifying the --rescan command line parameter. At that, if in the original directory another file with the same name is located, the user is asked whether or not to replace it with the restored file.

Example:

drweb-nss-qcontrol --restore eicar

The utility attempts to restore all files eicar in their names to the original location.

•--restore-dir <directory> – sets restore directory used for --restore command line parameter.

Example:

drweb-nss-qcontrol --restore-dir sample/directory --restore eicar

The utility attempts to restore all files containing 'eicar' in their names to the specified directory "sample/directory". If this directory is not in the NSS volume, file attributes supported only by NSS are not restored.

•--answer <answer> – specifies automatic reply whether or not to replace the file when the --restore action is applied.

Example:

drweb-nss-qcontrol --restore eicar.comf8JRCG --answer yes

The utility attempts to restore all files with names containing eicar to their original location overwriting existing files automatically.

•--rescan <regexp> – sends all files with names matching regular expression to Dr.Web Daemon for rescanning. If after rescanning the file is considered not malicious, it will be automatically restored.

You can use this parameter to enable automatic restore of "cleaned" files from the Quarantine directory. Add the similar line to crontab (rescan quarantined files every 30 minutes and restore "clean" files. If another file with the same name already resides in the original directory, it is not overwritten):

*/30 * * * * sh -c "/opt/drweb/drweb-nss-qcontrol --rescan . --answer no"