Operating Principles

The component operates as a service which receives requests to scan file system objects (files and boot disk records) from Dr.Web for UNIX Mail Servers components. It also queues scanning tasks and scans requested objects by using Dr.Web Virus-Finding Engine. If a threat is detected and the scanning task instructs to cure threats, the scanning engine attempts to cure it if this action can be applied to the scanned object. The figure below shows the operation scheme of Dr.Web Scanning Engine scanning engine.

The scanning engine, the anti-virus engine Dr.Web Virus-Finding Engine, and the virus databases form one unit and cannot be separated: the scanning engine downloads virus databases and provides the operation environment for the cross-platform anti-virus engine Dr.Web Virus-Finding Engine. The virus databases and the anti-virus engine are updated by the Dr.Web Updater update component that is included in the product, but this component is not a part of the scanning engine. The update component is run by the Dr.Web ConfigD configuration daemon periodically or forcefully, if the corresponding command is sent by the user. Moreover, if Dr.Web for UNIX Mail Servers operates in central protection mode, updating of virus databases and anti-virus engine is performed by the Dr.Web ES Agent (it is not shown in the above-mentioned scheme). The latter component interacts with the central protection server and receives the updates.

The scanning engine can operate both under management of the configuration daemon Dr.Web ConfigD and in an autonomous mode. In the former case, the daemon runs the engine and ensures that virus databases are up to date. In the latter case, engine startup and updating of virus databases is performed by an external application that uses the engine. Dr.Web for UNIX Mail Servers‘s components that issue requests to the scanning engine asking it to scan files for them (indicated as “Client modules” in the diagram) use the same interface as other external applications would.

Users are provided with the opportunity to create own component (external application) using Dr.Web ASE for files checks. For this, Dr.Web Scanning Engine contains a special API, based on Google Protobuf. To obtain Dr.Web Scanning Engine API guide and examples of client application using Dr.Web Scanning Engine, contact Doctor Web partner care department (https://partners.drweb.com/).

Received tasks are automatically distributed into queues with different priorities: high, normal and low. Selection of the queue depends on the component that created a task: for example, tasks created by a file system monitor receive high priority as response time is important for monitoring. The scanning engine computes statistics of its operations, including the number of all tasks received for scanning and the queue length. As the average load rate, the scanning engine uses the average length of queues per second. This rate is averaged for the last minute, last 5 minutes and last 15 minutes.

Dr.Web Virus-Finding Engine supports signature analysis (signature-based threat detection) and other methods of heuristic and behavioral analysis designed for detection of potentially dangerous objects based on machine instructions and other attributes of executable code.

Heuristic analysis cannot guarantee highly reliable results and may commit the following errors:

•Errors of the first type. These errors occur when a safe object is detected as malicious (false positive detections).

•Errors of the second type. These errors occur when a malicious object is detected as safe.

Thus, objects detected by the heuristics analyzer are treated as Suspicious.

It is recommended that you choose to move suspicious objects to quarantine. After virus databases are updated, such files can be scanned using signature analysis. Keep the virus databases up to date in order to avoid errors of the second type.

Dr.Web Virus-Finding Engine allows to scan and cure both files and packed objects or objects in different containers (such as archives, email messages, etc.).