Main Functions

1.Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, Trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.

•Heuristic analysis , which allows detection of threats that are not present in virus databases

•Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.

Note that the heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats.

When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or selective scan of the specified objects only (separate directories or files that meet the specified criterias). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode .

The Dr.Web Ctl command-line management tool included in the product allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH.

The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, etc.), or via running an anti-virus software installed on them.

2.Email message scanning. The product supports the following modes of email message scanning:

•Mode of an external filter connected to the mail server (MTA). The product can be integrated into any mail server that supports interfaces for connection of external filters Milter, Spamd and Rspamd. In the filter mode, upon an initiative of MTA, all emails that arrive to the mail server are sent via the conjugation interface to Dr.Web for UNIX Mail Servers and scanned. Depending on the capability of the interface, Dr.Web for UNIX Mail Servers, that operates as a filter, can:

▫Inform server of results of an email scanning. In this case mail server must independently process an email message according to received results (reject the delivery, add headers or modify email contents, if scanning result contains information about presence of threats).

▫Modify an email message by adding the indicated headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as an archive protected with a password. The recipient of the email message can request the password for unpacking the protected archive from the mail server administrator. If required, though not recommended, the administrator can configure the usage of the archives not protected with a password.

Sending of commands to the mail server and return of the modified email message are supported only by the Milter interface. Interfaces Spamd and Rspamd do not allow Dr.Web for UNIX Mail Servers to send servers commands and return the modified email message. One of two verdicts will be returned to the server: “email message is spam” or “email message is not spam”. In this case, for indirect modification of the rejected email message, you can use an action from the rules called REJECT <description>. Parameter <description>, if indicated, will be used as a header value Message‘, added by MTA to the email after the message about the scanning results.

•Invisible proxy mode for mail protocols. In this mode, the product (using SpIDer Gate) implements the function of the proxy server embedded into the channel for sharing data between MTA and/or MUA transparently for the sharing parties and the function of the scanner of transmitted messages. The product can be transparently embedded into the main mail protocols: SMTP, POP3, IMAP. In this mode, and also depending on possibilities of the protocol it is embedded into, Dr.Web for UNIX Mail Servers can pass the email message to the recipient (it can be unmodified or have modifications in the form of added headers or repacked email message) or block its delivery, including the return of the correct protocol error to the sender or the recipient.

Dr.Web for UNIX Mail Servers, depending on the distribution and settings, it executes the scanning of email messages:

▫Search for links to malicious websites or websites from the unwanted categories;

▫Detection of signs of spam (both using the automatically updated rule base of spam filtering and the mechanism of checking the presence of sender’s address in the DNSxL black lists);

▫Compliance with the security criteria established by the administrator of the mail system independently (scanning of a body and headers of messages using regular expressions).

To check links to unwanted websites, that can be present in email messages, the automatically updated databases of web resource categories is used. It is distributed along with Dr.Web for UNIX Mail Servers. Also, Dr.Web Cloud is requested to check the availability of information if the web source mentioned in the email message has been marked as malicious by other Dr.Web products.

3.Reliable isolation of infected or suspicious objects. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.

The threats detected by the Dr.Web MailD component in email messages are moved to quarantine on the server, and are sent to the user-recipient in the modified email message. At that, they are packed in a password protected archive. The user can get an access to the contents of the archive only by indication the password received from the product administrator.

4.Automatic update of the anti-virus engine, virus databases, databases of web resource categories and database of rules for email spam filtering for the maintenance of the high level of protection against malware.

5.Collection of statistics on virus events, logging threat detection events. Notification on detected threats over SNMP to external monitoring systems and to the central protection server (if the product operates in central protection mode).

6.Operation in central protection mode (when connected to the central protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, a provider of Internet service).

In Dr.Web for UNIX Mail Servers, starting from version 11.0, list of possible actions that can be applied to an email message is significantly reduced.

Starting from version 11.0, Dr.Web for UNIX Mail Servers executes only the following actions with email messages:

•Email message check for the compliance with the criteria established by the administrator and scanning for signs of spam (also via check of the sender’s domain in DNSxL black lists when such configuration is present),

•Search for links to malicious websites or websites from the unwanted categories

•Detection of malicious attachments.

If the protocol that was used to receive an email message for scanning and the party that sent the email message (MTA/MDA or MUA) support modification of transferred for scanning email messages, then, besides standard actions “skip” and “reject”, Dr.Web for UNIX Mail Servers can repack email messages on the basis of one of predetermined repack templates (during repacking, all threats are moved to a protected archive attached to an email, and a notification on threats and/or unwanted contents is added to the email body). Besides, basic functionality that adds and modifies email headers is supported.

All other actions (for example, sending of notifications to an administrator, complete removal or renaming of attached files), if they are required, should be implemented via a protected mail server (MTA/MDA). They should be implemented via a protected mail server by connecting, if required, a set of specific filter plug-ins from third-party developers which are designed for the corresponding processing.

Depending on the distribution, the anti-spam library could be unavailable in the product. If any email messages are falsely detected by the anti-spam library, it is recommended that they are forwarded to special addresses for analysis and improvement of spam filter quality:

•email messages, incorrectly assessed as spam, should be forwarded to vrnonspam@drweb.com;

•spam email messages, which were not detected as spam, should be forwarded to vrspam@drweb.com.

Each email message that is subject to analysis should be preliminary saved in the .eml format. Saved files should be attached to the email message sent to the required service address.