Operating Principles |
The component operates as a service which receives requests to scan file system objects (files and boot disk records) from Dr.Web for UNIX Internet Gateways components. It also queues scanning tasks and scans requested objects by using Dr.Web Virus-Finding Engine. If a threat is detected and the scanning task instructs to cure threats, the scanning engine attempts to cure it if this action can be applied to the scanned object. The figure below shows the operation scheme of Dr.Web Scanning Engine scanning engine. Figure 16. Diagram of the components’ operation The scanning engine, the anti-virus engine Dr.Web Virus-Finding Engine, and the virus databases form one unit and cannot be separated: the scanning engine downloads virus databases and provides the operation environment for the cross-platform anti-virus engine Dr.Web Virus-Finding Engine. The virus databases and the anti-virus engine are updated by the Dr.Web Updater update component that is included in the product, but this component is not a part of the scanning engine. The update component is run by the Dr.Web ConfigD configuration daemon periodically or forcefully, if the corresponding command is sent by the user. Moreover, if Dr.Web for UNIX Internet Gateways operates in central protection mode, updating of virus databases and anti-virus engine is performed by the Dr.Web ES Agent (it is not shown in the above-mentioned scheme). The latter component interacts with the central protection server and receives the updates. The scanning engine can operate both under management of the configuration daemon Dr.Web ConfigD and in an autonomous mode. In the former case, the daemon runs the engine and ensures that virus databases are up to date. In the latter case, engine startup and updating of virus databases is performed by an external application that uses the engine. Dr.Web for UNIX Internet Gateways‘s components that issue requests to the scanning engine asking it to scan files for them (indicated as “Client modules” in the diagram) use the same interface as other external applications would.
Received tasks are automatically distributed into queues with different priorities: high, normal and low. Selection of the queue depends on the component that created a task: for example, tasks created by a file system monitor receive high priority as response time is important for monitoring. The scanning engine computes statistics of its operations, including the number of all tasks received for scanning and the queue length. As the average load rate, the scanning engine uses the average length of queues per second. This rate is averaged for the last minute, last 5 minutes and last 15 minutes. Dr.Web Virus-Finding Engine supports signature analysis (signature-based threat detection) and other methods of heuristic and behavioral analysis designed for detection of potentially dangerous objects based on machine instructions and other attributes of executable code.
It is recommended that you choose to move suspicious objects to quarantine. After virus databases are updated, such files can be scanned using signature analysis. Keep the virus databases up to date in order to avoid errors of the second type. Dr.Web Virus-Finding Engine allows to scan and cure both files and packed objects or objects in different containers (such as archives, email messages, etc.). |