Configuration

Dr.Web Scanner can be used with default settings, but it could be convenient to configure it according to your needs. Dr.Web Scanner settings are stored in the configuration file (drweb32.ini by default) which is located in %etc_dir directory.

To use another configuration file, specify the full path to it as a command line parameter, for example:

$ %bin_dir/drweb -ini=%bin_dir/etc/drweb.ini

For general principles of the Dr.Web for Novell Storage Services configuration files organization, see Configuration files.

[Scanner]

EnginePath = {path to file}

Location of drweb32.dll module (anti-virus engine Dr.Web Engine).

This parameter is also used by Dr.Web Updater.

Default value:

EnginePath = %bin_dir/lib/drweb32.dll

VirusBase = {list of file masks}

Masks for loading virus databases.

This parameter is also used by Dr.Web Updater. Multiple values are allowed (separated by commas).

By default, virus databases files has a .vdb extension

Default value:

VirusBase = %var_dir/bases/*.vdb

UpdatePath = {path to directory}

This parameter is used by Dr.Web Updater (update.pl) and is mandatory.

Default value:

UpdatePath = %var_dir/updates/

TempPath = {path to directory}

Directory where anti-virus engine Dr.Web Engine stores temporary files.

It is used for unpacking archives or when the system is low on memory

Default value:

TempPath = /tmp/

LngFileName = {path to file}

Language file location.

By default, language files have a .dwl extension

Default value:

LngFileName = %bin_dir/lib/ru_scanner.dwl

Key = {path to file}

Key file location (license or demo).

By default, key files have a .key extension

Default value:

Key = %bin_dir/drweb32.key

OutputMode = {Terminal | Quiet}

Output mode:

Terminal - console output

Quiet - no output

Default value:

OutputMode = Terminal

HeuristicAnalysis = {logical}

Enables or disables heuristic detection of unknown viruses.

Heuristic analysis can detect previously unknown viruses which are not included in the virus database. It relies on advanced algorithms to determine if scanned file structure is similar to the virus architecture. Because of that, heuristic analysis can produce false positives: all objects detected by this method are considered suspicious.

Please send all suspicious files to Dr.Web through http://vms.drweb.com/sendvirus/ for checking. To send a suspicious file, put it in a password protected archive, include password in the message body and attach Dr.Web Scanner report.

Default value:

HeuristicAnalysis = Yes

ScanPriority = {signed numerical value}

Dr.Web Scanner process priority.

Value must be between –20 (highest priority) and 19 (Linux) or 20 (other UNIX-like operating systems).

Default value:

ScanPriority = 0

FilesTypes = {list of file extensions}

File types to be checked "by type", i.e. when the ScanFiles parameter (explained below) has ByType value.

"*" and "?" wildcard characters are allowed.

Default value:

FilesTypes = EXE, COM, SYS, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD, VXD, 386, DLL, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, AR?, ZIP, R??, PP?, OBJ, LIB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SHS, SHB, PIF, SO, CHM, REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, BMP, MPP, OCX, DVB, CPY, MSG, EML

FilesTypesWarnings = {logical}

Notifies about files of unknown types.

Default value:

FilesTypesWarnings = Yes

ScanFiles = {All | ByType}

Instructs to scan all files (All value) or only files with the extensions specified in the FileType parameter (ByType value).

The parameter can have the ByType value only in the local scan mode. In other modes, the value must be set to All.

All mail fails are scanned regardless of the ScanFiles parameter value.

Default value:

ScanFiles = All

ScanSubDirectories = {logical}

Enables or disables scanning of subdirectories.

Default value:

ScanSubDirectories = Yes

CheckArchives = {logical}

Enables or disables checking of files in archives (RAR, ARJ, TAR, GZIP, CAB and others).

Default value:

CheckArchives = Yes

CheckEMailFiles = {logical}

Enables or disables checking mail files.

Default value:

CheckEMailFiles = Yes

ExcludePaths = {list of path | file masks}

Masks for files to be skipped during scanning.

Multiple values are allowed (separated by commas).

Default value:

ExcludePaths = /proc,/sys,/dev

FollowLinks = {logical}

Allows or forbids Dr.Web Scanner to follow symbolic links during scanning.

Default value:

FollowLinks = No

RenameFilesTo = {mask}

Mask for renaming files when the Rename action is applied.

Default value:

RenameFilesTo = #??

MoveFilesTo = {path to directory}

Path to the Quarantine directory.

Default value:

MoveFilesTo = %var_dir/infected/

EnableDeleteArchiveAction ={logical}

Enables or disables Delete action for complex objects (archives, mailboxes, HTML pages) if they contain infected files.

Please note, if the action is enabled, a whole complex object is to be deleted. Use this option carefully!

Default value:

EnableDeleteArchiveAction = No

InfectedFiles = {action}

Sets one of the following actions upon detection of an infected file:

Report, Cure, Delete, Move, Rename, Ignore.

Delete and Move actions are applied to a whole complex object upon detection of infected files within it.

Default value:

InfectedFiles = Report

SuspiciousFiles = {action}

Sets one of the following actions upon detection of a suspicious file:

Report, Delete, Move, Rename, Ignore.

Default value:

SuspiciousFiles = Report

IncurableFiles = {action}

Sets one of the following actions applied if an infected file cannot be cured (use only if InfectedFiles = Cure):

Report, Delete, Move, Rename, Ignore.

Default value:

IncurableFiles = Report

ActionAdware = {action}

Sets one of the following actions upon detection of adware:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionAdware = Report

ActionDialers = {action}

Sets one of the following actions upon detection of a dialer program:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionDialers = Report

ActionJokes = {action}

Sets one of the following actions upon detection of a  joke program:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionJokes = Report

ActionRiskware = {action}

Sets one of the following actions upon detection of a potentially dangerous program:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionRiskware = Report

ActionHacktools = {action}

Sets one of the following actions upon detection of a hacktool:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionHacktools = Report

ActionInfectedMail = {action}

Sets one of the following actions upon detection of an infected file in a mailbox:

Report, Delete, Move, Rename, Ignore.

Default value:

ActionInfectedMail = Report

ActionInfectedArchive = {action}

Sets one of the following actions upon detection of an infected file in an archive (ZIP, TAR, RAR, etc.):

Report, Delete, Move, Rename, Ignore.

Default value:

ActionInfectedArchive = Report

ActionInfectedContainer = {action}

Sets one of the following actions upon detection of an infected file in a container (OLE, HTML, PowerPoint, etc.):

Report, Delete, Move, Rename, Ignore.

Default value:

ActionInfectedContainer = Report

Logging parameters:

LogFileName = {syslog | file name}

Log file name.

You can specify syslog as a log file name to use syslogd system service for logging.

In this case you must also specify the SyslogFacility and SyslogPriority parameters.

Default value:

LogFileName = syslog

SyslogFacility = {syslog label}

Log type label which is used by syslogd system service.

Default value:

SyslogFacility = Daemon

SyslogPriority = {log level}

Log verbosity level when syslogd system service is used.

The following levels are allowed:

Error

Alert

Warning

Info

Notice

Default value:

SyslogPriority = Info

LimitLog = {logical}

Enables or disables limit of log file size (if LogFileName value is not set to syslog).

With this parameter enabled, Dr.Web Scanner checks log file size on startup. If log file size exceeds the MaxLogSize parameter value, log file content will be erased and logging will start from scratch.

Default value:

LimitLog = No

MaxLogSize = {numerical value}

Maximum log file size in Kbytes.

Used only with LimitLog = Yes.

If this parameter value is set to 0, log file size is not checked.

Default value:

MaxLogSize = 512

LogScanned = {logical}

Enables or disables logging of information about all scanned objects regardless whether they are infected or not.

Default value:

LogScanned = Yes

LogPacked = {logical}

Enables or disables logging of additional information about files packed with DIET, PKLITE and other utilities.

Default value:

LogPacked = Yes

LogArchived = {logical}

Enables or disables logging of additional information about files archived with various archiving utilities.

Default value:

LogArchived = Yes

LogTime = {logical}

Enables or disables logging of time for each record. Parameter is not used if LogFileName = syslog.

Default value:

LogTime = Yes

LogStatistics = {logical}

Enables or disables logging of scan statistics.

Default value:

LogStatistics = Yes

RecodeNonprintable = {logical}

Enables or disables transcoding of characters that are undisplayable on a given terminal (see also the description of the following two parameters).

Default value:

RecodeNonprintable = Yes

RecodeMode = {Replace | QuotedPrintable}

Decoding mode for non printable characters if RecodeNonprintable = Yes.

When RecodeMode = Replace, all non-printable characters are substituted with the RecodeChar parameter value (see below).

When RecodeMode = QuotedPrintable, all non-printable characters are converted to the Quoted Printable encoding.

Default value:

RecodeMode = QuotedPrintable

RecodeChar = {"?" | "_" | ...}

Sets character for replacing non-printable characters if RecodeMode = Replace.

Default value:

RecodeChar = "?"

The following parameters can be used to reduce time of scanning archives (by skipping some objects in an archive).

MaxCompressionRatio = {numerical value}

Maximum compression ratio, that is ratio between size of unpacked file and its size within an archive. If a ratio exceeds the specified value, the file will not be extracted and therefore will not be checked. An email message with such an archive is considered as a "mail bomb".

Parameter can have only natural values.

If the value is set to 0, compression ratio will not be checked

Default value:

MaxCompressionRatio = 5000

CompressionCheckThreshold = {numerical value}

Minimum size of a file enclosed within an archive, in Kbytes. If a file size is less than the specified value, the compression ratio will not be checked (if such a check is enabled by the MaxCompressionRatio parameter).

Default value:

CompressionCheckThreshold = 1024

MaxFileSizeToExtract = {numerical value}

Maximum size of a file enclosed in an archive, in Kbytes. If a file size exceeds the specified value, the file is skipped.

An email message with such a file is considered as a "mail bomb".

Default value:

MaxFileSizeToExtract = 500000

MaxArchiveLevel = {numerical value}

Maximum archive nesting level.

If an archive nesting level exceeds the specified value, the archive is skipped.

An email message with such a file is considered as a "mail bomb".

If the value is set to 0, archive nesting level will not be checked

Default value:

MaxArchiveLevel = 8

MaximumMemoryAllocationSize = {numerical value}

Maximum size of the memory (in Mbytes) that can be used by Dr.Web Scanner to check one file.

If the value is set to 0, memory allocation is not limited.

Default value:

MaximumMemoryAllocationSize = 0

ScannerScanTimeout = {numerical value}

Maximum time period allowed for scanning one file (in seconds).

If the value is set to 0, scanning time is not limited.

Default value:

ScannerScanTimeout = 0

MaxBasesObsolescencePeriod = {numerical value}

Maximum time (in hours) after last update when virus databases are considered as up-to-date.

Upon the expiration of this time period, notification displays informing that the databases are obsolete.

If the value is set to 0, database actuality will not be checked.

Default value:

MaxBasesObsolescencePeriod = 24

ControlAgent = {address}

Dr.Web Agent socket address.

Example:

ControlAgent = inet:4040@127.0.0.1,local:%var_dir/ipc/.agent

Dr.Web Scanner receives a license key file and configuration from Dr.Web Agent. (if OnlyKey = No).

Default value:

ControlAgent = local:%var_dir/ipc/.agent

OnlyKey = {logical}

Enables receiving only a license key file from Dr.Web Agent, without configuration. At that, Dr.Web Scanner uses the local configuration file.

If the value is set to No and the address of a Dr.Web Agent socket is specified, Dr.Web Agent also receives statistics on Dr.Web Scanner  operation (information is sent after scanning of each file).

Default value:

OnlyKey = No