The component operates as a service which receives requests to scan file system objects (files and boot disk records) from Dr.Web for UNIX File Servers components. It also queues scanning tasks and scans requested objects by using Dr.Web Virus-Finding Engine. If a threat is detected and the scanning task instructs to cure threats, the scanning engine attempts to cure it if this action can be applied to the scanned object. The picture below shows the operation scheme of Dr.Web Scanning Engine scanning engine.
Picture 34. Component operation scheme
The scanning engine, the anti-virus engine Dr.Web Virus-Finding Engine, and the virus databases form one unit and cannot be separated: the scanning engine downloads virus databases and provides the operation environment for the cross-platform anti-virus engine Dr.Web Virus-Finding Engine. The virus databases and the anti-virus engine are updated by the special module Dr.Web Updater that is included in the product but this module is not part of the scanning engine. The module is run by the configuration daemon Dr.Web ConfigD periodically or forcefully, if such command is sent by the user. Moreover, if Dr.Web for UNIX File Servers operates in enterprise mode, virus databases and anti-virus engine are performed by the central protection agent Dr.Web ES Agent (it is not shown in the abovementioned scheme) which interacts with the central protection server and receives the updates.
Scanning engine can operate both under management of the configuration daemon Dr.Web ConfigD and in standalone mode. In the former case, the daemon runs the engine and ensures that virus databases are up to date. In the latter case, engine startup and updating of virus databases is performed by an external application that uses the engine. Dr.Web for UNIX File Servers components that process tasks to scan files (indicated as "Client module" in the scheme) use the same interface as external applications do.
Received tasks are automatically distributed into queues with different priorities: high, normal and low. Selection of the queue depends on the component that created a task: for example, tasks created by a file system monitor receive high priority as response time is important for monitoring. The scanning engine computes statistics of its operations, including the number of all tasks received for scanning and the queue length. As the average load rate, the scanning engine uses the average length of queues per second. This rate is averaged for the last minute, last 5 minutes and last 15 minutes.
Anti-virus engine Dr.Web Virus-Finding Engine supports signature analysis (signature-based detection of threats) and other methods of heuristics and behavioral analysis designed for detection of a potentially dangerous object based on machine instructions other attributes of malicious code.
|
Heuristic analysis cannot guarantee highly reliable results and may commit type I or type II errors: omit viruses or raise false alarms. Thus, objects detected by the heuristics analyzer are treated as "suspicious ". |
It is recommended to move suspicious objects to quarantine. After virus databases are updated, such files can be scanned using signature analysis. Keep the virus databases up to date in order to avoid errors of the II type.
Dr.Web Virus-Finding Engine allows to scan and cure both files and packed objects or objects in different containers (such as archives, email messages, etc.).