The component is designed to provide access to file system objects (files, folders, boot records). They are started with superuser (root) privileges.
It indexes all checked files and directories and saves all data on checked objects to a special cache to avoid repeated check of objects that were already checked and were not modified since that (in this case, if a request to check such object is received, the previous check result, retrieved from cache, is returned). The component operation scheme is shown in the picture below.
Picture 35. Component operation scheme
When a request to check a file system object is received from Dr.Web for UNIX File Servers components, it checks whether this object requires scanning. If so, a scanning task is generated for scanning engine Dr.Web Scanning Engine. If the scanned object contained a threat, Dr.Web File Checker neutralizes it (deletes or quarantines) if this action was specified by the client component that initiated the scanning. Scanning can be initiated by various product components (for example, SpIDer Guard for SMB monitor).
During scanning, the component generates and sends the client component a report with scan results and applied actions, if any.
Apart from the standard scanning method, the following special methods are available for internal use:
•The "flow" scanning method. A component that uses this scanning method initializes detection and neutralization parameters only once. These parameters will be applied to all future requests for file check coming from the component. This method is used by SpIDer Guard monitor.
•The "proxy" scanning method. A component that uses this scanning method scans files without applying any actions (including event logging) to detected threats. Necessary actions must be applied by the component that initiated the scanning process. This method is used by SpIDer Guard for SMB monitor and Dr.Web ClamD component.
Files can be scanned with the "flow" and "proxy" scanning methods by Dr.Web Ctl utility (launched by the drweb-ctl command) using the flowscan and proxyscan commands. However, for the standard scanning on demand, it is recommended to use the scan command.
The component collects statistics on scanned files averaging the number of files scanned per second in the last minute, 5 minutes, 15 minutes.