Main Functions

1.Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, Trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.

•Heuristic analysis , which allows detection of threats that are not present in virus databases

•Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.

Note that the heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats.

When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or selective scan of the specified objects only (separate directories or files that meet the specified criterias). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode .

The Dr.Web Ctl command-line management tool included in the product allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH.

The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, etc.), or via running an anti-virus software installed on them.

2.Analyzing data transmitted to the Internet. Not only user requests are monitored (i.e. attempts to connect to the web server and to transmit any file to it), but also data sent in response to users’ request. To analyze requests and sent data, the program connects via ICAP protocol as an external filter to the proxy server, processing HTTP connections of the local network users. Moreover, using the SpIDer Gate component, it is possible to perform barrier functions, which prevents receiving and transmitting infected files by the public server of the organization (this option is available only for GNU/Linux). To restrict access to unwanted websites, the product uses automatically updated databases of web resource categories, which are supplied together with Dr.Web for UNIX Internet Gateways; and white and black lists created by the system administrator manually. The product also refers to the Dr.Web Cloud service to check for the information whether the Internet resource is marked as malicious by other Dr.Web products.

Not that the product is not intended for transit network traffic checks. It is intended for integration with locally installed HTTP proxy server (for example, Squid) or web server.

3.Reliable isolation of infected or suspicious objects. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.

The threats detected by the Dr.Web ICAPD component in the HTTP protocol messages are not moved to Quarantine on the Internet gateway. Instead their load and transfer to a recipient are blocked, and the user is informed by a special HTML page with a message about blocking.

4.Automatic update of the anti-virus engine, virus databases, databases of web resource categories for the maintenance of the high level of protection against malware.

5.Collection of statistics on virus events, logging threat detection events. Notification on detected threats over SNMP to external monitoring systems and to the central protection server (if the product operates in central protection mode).

6.Operation in central protection mode (when connected to the central protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, a provider of Internet service).