1. Command Format for Calling the Command-Line Utility to Manage the Product
The call format for the command-line tool which manages Dr.Web for UNIX File Servers operation is as follows:
$ drweb-ctl [<general options> | <command> [<argument>] [<command options>]]
|
Where:
•<general options>—options that can be applied on startup when the command is not specified or can be applied for any command. Not mandatory for startup. •<command>—command to be performed by Dr.Web for UNIX File Servers (for example, start scanning, output the list of quarantined objects, and other commands). •<argument>—command argument. Depends on the specified command. It can be missing for certain commands. •<command options>—options for managing the operation of the specified command. They can be omitted for some commands. 2. General Options
The following general options are available:
Option
|
Description
|
-h, --help
|
Show general help information and exit. To display the help information on any command, use the following call:
|
-v, --version
|
Show information on the module version and exit
|
-d, --debug
|
Instructs to show debug information upon execution of the specified command. It cannot be executed if a command is not specified. Use the call
|
3. Commands
Commands to manage Dr.Web for UNIX File Servers can be divided into the following groups:
•Anti-virus scanning commands. •Commands to manage updates and operation in central protection mode. •Configuration management commands. •Commands to manage detected threats and quarantine. •Information commands.
|
To request documentation about this component of the product from the command line, use the following command man 1 drweb-ctl
|
3.1. Anti-virus Scanning Commands
The following commands to manage anti-virus scanning are available:
Command
|
Description
|
scan <path>
|
Purpose: Start checking the specified file or directory via the Dr.Web File Checker component.
Arguments:
<path>—path to the file or directory which is selected for scanning.
This argument may be omitted, if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see the Usage Examples) and the --stdin or --stdin0 option.
Options:
-a [--Autonomous]—run a separate instance of Dr.Web Scanning Engine and Dr.Web File Checker to perform specified checks and terminate their operation after the scanning task is completed. Note that threats detected during stand-alone scanning are not added in the common threat list that is displayed using the threats command (see below).
--stdin—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the next line character ('\n').
--stdin0—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the zero character NUL ('\0').
|
When using --stdin and --stdin0 options, the paths in the list should not contain patterns or regular expressions for a search. Recommended usage of the --stdin and --stdin0 options is processing a path list (generated by an external utility, for example, find) in the scan command (see Usage Examples).
|
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--OnKnownVirus <action>—action applied to a threat detected by using signature-based analysis.
Allowed values: REPORT, CURE, QUARANTINE, DELETE.
Default value: REPORT
--OnIncurable <action>—action applied on failure to cure a detected threat or if a threat is incurable.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnSuspicious <action>—action applied to a suspicious object detected by heuristic analysis.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnAdware <action>—action applied to detected adware programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnDialers <action>—action applied to dialers.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnJokes <action>—action applied to joke programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnRiskware <action>—action applied to potentially dangerous programs (riskware).
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnHacktools <action>—action applied to hacktools.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
|
If threat is detected in a file located in a container (an archive, email message, etc.), its removal (DELETE) is replaced with moving of a container to quarantine (QUARANTINE).
|
|
bootscan
<disk drive> | ALL
|
Purpose: Start checking boot records on the specified disks via the Dr.Web File Checker component. Both MBR and VBR records are scanned.
Arguments:
<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.
Options:
-a [--Autonomous]—run a separate instance of Dr.Web Scanning Engine and Dr.Web File Checker to perform specified checks and terminate their operation after the scanning task is completed. Note that threats detected during stand-alone scanning are not added in the common threat list that is displayed using the threats command (see below).
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--Cure <Yes|No>—enable or disable attempts to cure detected threats.
If the value is set to No, only a notification about a detected threat is displayed.
Default value: No
--ShellTrace—enable display of additional debug information when scanning a boot record.
|
procscan
|
Purpose: Start checking executable files containing code of currently running processes with the Dr.Web File Checker. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.
Arguments: None.
Options:
-a [--Autonomous]—run a separate instance of Dr.Web Scanning Engine and Dr.Web File Checker to perform specified checks and terminate their operation after the scanning task is completed. Note that threats detected during stand-alone scanning are not added in the common threat list that is displayed using the threats command (see below).
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--OnKnownVirus <action>—action applied to a threat detected by using signature-based analysis.
Allowed values: REPORT, CURE, QUARANTINE, DELETE.
Default value: REPORT
--OnIncurable <action>—action applied on failure to cure a detected threat or if a threat is incurable.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnSuspicious <action>—action applied to a suspicious object detected by heuristic analysis.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnAdware <action>—action applied to detected adware programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnDialers <action>—action applied to dialers.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnJokes <action>—action applied to joke programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnRiskware <action>—action applied to potentially dangerous programs (riskware).
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnHacktools <action>—action applied to hacktools.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
Note that if a threat is detected in an executable file, Dr.Web for UNIX File Servers terminates all processes started from the file.
|
netscan <path>
|
Purpose: Start distributed scanning of the specified file or directory via the Dr.Web Network Checker agent for network data scanning. If there are no configured connections to other hosts that are running Dr.Web for UNIX, then the scanning will be done only via the locally-available scanning engine (similar to the scan command).
Arguments:
<path>—path to the file or directory which is selected to be scanned.
Options:
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
--Cure <Yes|No>—enable or disable attempts to cure detected threats.
If the value is set to No, only a notification about a detected threat is displayed.
Default value: No
|
flowscan <path>
|
Purpose: to start scanning the specified file or directory via Dr.Web File Checker using the “flow” method (normally this method is used internally by SpIDer Guard).
|
For on-demand scanning of files and directories, it is recommended that you use the scan command.
|
Arguments:
<path>—path to the file or directory which is selected to be scanned.
Options:
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
--OnKnownVirus <action>—action applied to a threat detected by using signature-based analysis.
Allowed values: REPORT, CURE, QUARANTINE, DELETE.
Default value: REPORT
--OnIncurable <action>—action applied on failure to cure a detected threat or if a threat is incurable.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnSuspicious <action>—action applied to a suspicious object detected by heuristic analysis.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnAdware <action>—action applied to detected adware programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnDialers <action>—action applied to dialers.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnJokes <action>—action applied to joke programs.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnRiskware <action>—action applied to potentially dangerous programs (riskware).
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
--OnHacktools <action>—action applied to hacktools.
Allowed values: REPORT, QUARANTINE, DELETE.
Default value: REPORT
|
If threat is detected in a file located in a container (an archive, email message, etc.), its removal (DELETE) is replaced with moving of a container to quarantine (QUARANTINE).
|
|
proxyscan <path>
|
Purpose: Start scanning the specified file or directory via Dr.Web File Checker using the “flow” method (normally this method is used internally by the SpIDer Guard for SMB monitor and Dr.Web ClamD component).
|
Note that threats detected by this scanning method are not included into the list of detected threats that is displayed by the threats command (see below).
For on-demand scanning of files and directories, it is recommended that you use the scan command.
|
Arguments:
<path>—path to the file or directory which is selected to be scanned.
Options:
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
|
rawscan <path>
|
Purpose: to start “raw” scanning of the specified file or directory by Dr.Web Scanning Engine directly, without the use of Dr.Web File Checker.
|
Note that threats detected by “raw” scanning are not included into the list of detected threats that is displayed by the threats command (see below).
It is recommended that you use this command only to debug the functioning of Dr.Web Scanning Engine. Note that the command outputs the “cured” status, if at least one threat is neutralized of those threats that are detected in a file (not all threats might be neutralized). Thus, it is not recommended to use this command if you need thorough file scanning. In the latter case it is recommended to use the scan command.
|
Arguments:
<path>—path to the file or directory which is selected to be scanned.
Options:
--ScanEngine <path>—path to the UNIX socket of the Dr.Web Scanning Engine. If not specified, an autonomous instance of the scanning engine is started (which will be shut down once the scanning is completed).
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
--Cure <Yes|No>—enable or disable attempts to cure detected threats.
If the value is set to No, only a notification about a detected threat is displayed.
Default value: No
--ListCleanItem—enable outputting the list of clean (non-infected) files found inside a container that was scanned.
--ShellTrace—enable display of additional debug information when scanning a file.
|
remotescan
<host> <path>
|
Purpose: Connect to the specified remote host and start scanning the specified file or directory using SSH.
|
Note that threats detected by remote scanning will not be neutralized and also will not be included into the list of detected threats that is displayed by the threats command (see below).
This function can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, etc.), or via running an anti-virus software installed on them.
|
Arguments:
<host>—IP address or a domain name of the remote host.
<path>—path to the file or directory which is selected to be scanned.
Options:
-l [--Login] <name>—login (user name) used for authorization on the remote host via SSH.
If a user name is not specified, there will be an attempt to connect to a remote host on behalf of the user who has launched the command.
-i [--Identity] <path to file>—path to the file containing a private key used for authentication of the specified user via SSH.
-p [--Port] <number>—number of the port on the remote host for connecting via SSH.
Default value: 22
--Password <password>—password used for authentication of a user via SSH.
Please note that the password is transferred as a plain text.
--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.
Allowed values:
•BRIEF—brief report. •DEBUG—detailed report. Default value: BRIEF
--ScanTimeout <number>—specify timeout to scan one file, in ms.
If the value is set to 0, time on scanning is not limited.
Default value: 0
--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).
If the value is set to 0, nested objects will be skipped during scanning.
Default value: 8
--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.
The ratio must be at least equal to 2.
Default value: 3000
--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.
Default value: On
|
3.2. Commands to manage updates and operation in Central protection mode
The following commands for managing updates and operation in central protection mode are available:
Command
|
Description
|
update
|
Purpose: Instructs to initiate the updating process of the anti-virus components (virus databases, anti-virus engine, etc. depending on the distribution) from Doctor Web’s update servers
|
esconnect
<server>[:<port>]
|
Purpose: Connect Dr.Web for UNIX File Servers to the specified central protection server (for example, Dr.Web Enterprise Server). For details, refer to Operation Modes.
Arguments:
•<server>—IP address or network name of the host on which the central protection server is operating. This argument is mandatory. •<port>—port number used by the central protection server. The argument is optional and should be specified only if the central protection server uses a non-standard port. Options:
--Key <path>—path to the public key file of the central protection server to which connection is performed.
--Login <ID>—login (workstation identifier) used for connection to the central protection server.
--Password <password>—password for connection to the central protection server.
--Group <ID>—identifier of the group to which the workstation is added on connection.
--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the central protection server groups (can be specified only together with the --Group option).
--Compress <On|Off>—enables (On) or disables (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.
--Encrypt <On|Off>—enables (On) or disables (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.
--Newbie—connect as a “newbie” (get a new account on the server).
|
This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.
|
|
esdisconnect
|
Purpose: Disconnect Dr.Web for UNIX File Servers from the central protection server and switch its operation to standalone mode.
The command has no effect if Dr.Web for UNIX File Servers already operates in standalone mode.
Arguments: None.
Options: None
|
This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.
|
|
3.3. Configuration Management Commands
The following commands to manage configuration are available:
Command
|
Description
|
cfset
<section>.<parameter> <value>
|
Purpose: to change the active value of the specified parameter in the current configuration.
Note that an equals sign is not allowed.
Arguments:
•<section>—name of the configuration file’s section where the parameter resides. This argument is mandatory. •<parameter>—name of the parameter. The argument is mandatory. •<value>—new value that is to be assigned to the parameter. The argument is mandatory. The following format is always used to specify a parameter value: <section>.<parameter> <value>.
Note that if you want to indicate several parameter values, you need to repeat the call of the command cfset as many times as the number of parameter values you want to ass. In addition, to ass a new value to the list of the parameter values, you need to use an option -a (see below). You cannot use the command option <parameter> value1, value2, because the string value1, value2 will be considered a unified parameter value.
For description of the configuration file, refer to the section Appendix D. Configuration File, or to the documentation page displayed by man 5 drweb.ini.
Options:
-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can have several values, specified as a list). You should also use this option to when adding a new parameter group identified by a tag.
-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list). You can also use this option to delete the whole group of parameters with a tag.
-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.
Options are not mandatory. If they are not specified, then the current parameter value (the entire list of values, if the parameter currently holds several values) are substituted with the specified value.
If you use the -r option for sections that contain individualized parameter settings for different connection points to the Dr.Web ClamD component or for sections that contain individualized parameter settings for different shared directories for the SpIDer Guard for SMB monitor, parameter value in the individualized settings section will be changed to the value of its “parent” parameter having the same name and located in the general settings section of this component.
If it is necessary to add a new connection point <point> for Dr.Web ClamD or a section containing parameters for a Sambashared directory with the <tag>, use the following command:
cfset ClamD.Endpoint.<point> -a, for example:
cfset ClamD.Endpoint.point1 -a
cfset SmbSpider.Share.<tag> -a, for example:
cfset SmbSpider.Share.BuhFiles -a
|
This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.
|
|
cfshow
[<section>][.<parameter>]
|
Purpose: to display parameter values in the current configuration. The parameters are output to the display as follows <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed.
Arguments:
•<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed. •<parameter>—name of the displayed parameter. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed. Options:
--Uncut—display all configuration parameters (not only those used with the currently installed set of components). If the option is not specified, only parameters used for configuration of the installed components are displayed.
--Changed—output only those parameters which have values different from the default ones.
--Ini—display parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).
--Value—output only value of the specified parameter (the <parameter> argument is mandatory in this case).
|
reload
|
Purpose: to send the SIGHUP signal to the Dr.Web ConfigD configuration daemon.
On receiving this signal, the Dr.Web ConfigD configuration daemon rereads the configuration and sends the required changes of it to Dr.Web for UNIX File Servers components. Then the configuration daemon reopens the program log, restarts the components that use virus databases (including the anti-virus engine), and attempts to restart those components which were terminated abnormally.
Arguments: None.
Options: None
|
3.4. Commands to Manage Detected Threats and Quarantine
The following commands for managing threats and quarantine are available:
Command
|
Description
|
threats
[<action> <object>]
|
Purpose: Apply the specified action to detected threats, selected by their identifiers. Type of the action is specified by the command’s option.
If the action is not specified, displays information on detected but not neutralized threats. For each threat the following information is displayed:
•Identifier assigned to the threat (its ordinal number) •The full path to the infected file •Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company) •Information about the file: size, the file owner’s user name, the time of last modification •History of operations applied to the threat: detection, applied actions etc. Arguments: None.
Options:
-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).
If this option is applied along with any options mentioned below, it is ignored.
--Cure <threat list>—attempt to cure the listed threats (list threat identifiers separating them with commas).
--Quarantine <threat list>—move the listed threats to quarantine (list threat identifiers separating them with commas).
--Delete <threat list>—delete the listed threats (list threat identifiers separating them with commas).
--Ignore <threat list>—ignore the listed threats (list threat identifiers separating them with commas).
If it is required to apply the command to all detected threats, specify All instead of <threat list>. For example:
$ drweb-ctl threats --Quarantine All
|
moves all detected malicious objects to quarantine.
|
quarantine
[<action> <object>]
|
Purpose: Apply an action to the specified object in quarantine.
If an action is not specified, information on quarantined objects and their identifiers together with brief information on the original files moved to quarantine is displayed. For every isolated (quarantined) object the following information is displayed:
•Identifier assigned to the quarantined object •The original path to the file, before it was moved to quarantine. •The date when the file was put in quarantine •Information about the file: size, the file owner’s user name, the time of last modification •Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company) Arguments: None.
Options:
-a [--Autonomous]—start a separate instance of the Dr.Web File Checker component for checking files for performing the specified quarantine command and shut it down after the command is completed.
This option can be applied along with any options mentioned below.
--Delete <object>—delete the specified object from quarantine.
Note that objects are deleted from quarantine permanently—this action is irreversible.
--Cure <object>—try to cure the specified object in the quarantine.
Note that even if the object is successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore command.
--Restore <object>—restore the specified object from the quarantine to its original location.
Note that this command may require drweb-ctl to be started with superuser privileges. You can restore the file from quarantine even if it is infected.
--TargetPath <path>—restore an object from the quarantine to the specified location: either as a file with the name specified here (if the <path> is a path to a file), or just to the specified directory (if the <path> is a path to a directory). Can be used only in combination with the --Restore command.
As an <object> specify the object identifier in quarantine. To apply the command to all quarantined objects, specify All instead of <object>. For example,
$ drweb-ctl quarantine --Restore All
|
restores all quarantined objects.
Note that for the --Restore All variant the additional option --TargetPath, if specified, must set a path to a directory, not a path to a file.
|
nss_threats
[<action> <object>]
|
Purpose: Apply the specified action to threats detected on NSS volumes; threats are selected by their identifiers. Type of the action is specified by the command’s option.
If the action is not specified, displays information on detected but not neutralized threats. The displayed information is essentially the same as the one that is displayed by calling the threats command (see above); but the scope of the information may be extended or modified based on the peculiarities of NSS storage.
|
To use this command, it is necessary to have SpIDer Guard for NSS installed and started.
|
Arguments: None.
Options:
-f [--Follow]—wait for new messages about new threats and display the messages once they are received (CTRL+C interrupts the waiting).
--Cure <threat list>—attempt to cure the listed threats (list threat identifiers separating them with commas).
--Quarantine <threat list>—move the listed threats to NSS quarantine (specify threat identifiers as a comma-separated list).
--Delete <threat list>—delete the listed threats (list threat identifiers separating them with commas).
--Ignore <threat list>—ignore the listed threats (list threat identifiers separating them with commas).
If it is required to apply the command to all the threats detected on NSS volumes specify All instead of a <threat list>. For example:
$ drweb-ctl nss_threats --Quarantine All
|
moves all detected malicious objects to NSS quarantine.
|
nss_quarantine
[<action> <object>]
|
Purpose: to apply an action to the specified object located in quarantine on NSS volumes.
If not specified, the following information is output: object identifier in NSS quarantine and brief information on original files. The displayed information is essentially the same as the one that is displayed by calling the quarantine command (see above); but the scope of the information may be extended or modified based on the peculiarities of NSS storage.
|
To use this command, it is necessary to have SpIDer Guard for NSS installed and started.
|
Arguments: None.
Options:
--Delete <object>—delete the specified object from quarantine NSS.
Note that objects are deleted from quarantine permanently—this action is irreversible.
--Cure <object>—try to cure the specified object in the quarantine NSS.
Note that even if the object is successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore command.
--Rescan <object>—rescan the specified object in the NSS quarantine.
Note that even if the rescanning will determine that the object is clean (not infected), it will stay in quarantine. To restore the object from quarantine, use the --Restore option.
--Restore <object>—restore the specified object from the NSS quarantine.
Note that this command may require drweb-ctl to be started with superuser privileges. You can restore the file from quarantine even if it is infected.
--TargetPath <path>—restore an object from the quarantine to the specified location: either as a file with the name specified here (if the <path> is a path to a file), or just to the specified directory (if the <path> is a path to a directory).
Can be used only in combination with the --Restore command.
As an <object> specify the object identifier in NSS quarantine. To apply the command to all quarantined objects, specify all as an <object>. For example, the following command:
$ drweb-ctl quarantine --Restore All
|
restores all quarantined objects.
Note that for the --Restore All variant the additional option --TargetPath, if specified, must set a path to a directory, not a path to a file.
|
|
If the Quarantine action is specified for some threat type in the settings of SpIDer Guard for NSS, the object containing a threat of this type will be placed to quarantine again on attempt to restore this object from quarantine to an NSS volume by the nss_quarantine command. For example, the following default settings:
NSS.OnKnownVirus = Cure
NSS.OnIncurable = Quarantine
move all incurable objects to quarantine. This is why, when any incurable object is restored from quarantine to an NSS volume by the nss_quarantine command, this object is automatically returned to quarantine.
|
3.5. Information Commands
The following information commands are available:
Command
|
Description
|
appinfo
|
Purpose: Output information on active Dr.Web for UNIX File Servers components.
The following information is displayed about each component that is currently running:
•Internally-used name •Process identifier GNU/Linux (PID) •State (running, stopped etc.) •Error code, if the work of the component has been terminated because of an error •Additional information (optionally). For the configuration daemon Dr.Web ConfigD the following is displayed as additional information:
•The list of installed components—Installed •The list of components which must be launched by the configuration daemon—Should run. Arguments: None.
Options:
-f [--Follow]—wait for new messages on component status change and output them once such a message is received (interrupt waiting by pressing CTRL+C).
|
baseinfo
|
Purpose: Display the information on the current version of the Virus-Finding Engine and status of virus databases.
The following information is displayed:
•Version of the anti-virus engine •Date and time when the virus databases that are currently used were issued. •The number of available virus records (in the virus databases) •The time of the last successful update of the virus databases and of the anti-virus engine •The time of the next scheduled automatic update Arguments: None.
Options: None.
|
certificate
|
Purpose: Display the contents of the trusted certificate of Dr.Web used by Dr.Web for UNIX File Servers. To save the certificate to a <cert_name>.pem file, you can use the following command:
$ drweb-ctl certificate > <cert_name>.pem
|
Arguments: None.
Options: None
|
idpass <identifier>
|
Purpose: Display the password that has been generated by the scanning component of email messages Dr.Web MailD for the email message with the indicated identifier and used for the protection of enclosed archive with threats removed from the email message (i.e. if RepackPassword parameter is set in the component settings to HMAC(<secret>)).
Arguments:
•<identifier>—identifier of email messages. Options:
-s [--Secret] <secret>—Secret word used for generation of an archive password.
If a secret word is not indicated when the command is called, the current secret word <secret> is used. It is indicated in the Dr.Web MailDsettings. And if RepackPassword parameter is not available or is set to a value different from HMAC(<secret>), the command will return an error.
|
license
|
Purpose: Show the information about the currently active license, or get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company’s website).
If no options are specified, then the following information is displayed (if you are using a license for the standalone mode):
•License number •Date and time when the license will expire If you are using a license provided to you by a central protection server (for the use of the product in the central protection mode or in the mobile mode), then the following information will be displayed:
Arguments: None.
Options:
--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in the central protection mode, when the license is managed by a central protection server).
If the serial number is not the one provided for the demo period, you must first register it at the company’s website.
For further information about the licensing of Dr.Web products, refer to the Licensing section.
|
To register a serial number, an Internet connection is required.
|
|
stat
|
Purpose: Output statistics about the operation of components that process files (pressing CTRL+C or Q interrupts the statistics display) or about the operation of the network data scanning agent Dr.Web Network Checker.
The statistics output includes:
•Name of the component that initiated scanning •PID of the component •Average number of files processed per second during the last minute, 5 minutes, 15 minutes •Usage percentage of the scanned files cache. •Average number of scan errors per second. For the distributed scanning agent, the following information is output:
•List of local components that initiated scanning •List of remote hosts that received files for scanning •List of remote hosts that sent files for scanning For local clients of the distributed scanning agent, their PID and name are specified; for remote clients—address and port of the host.
For both clients—local and remote—the following information is output:
•Average number of files scanned per second •Average number of sent and received bytes per second •Average number of errors per second Arguments: None.
Options:
-n [--netcheck]—Output statistics on operation of the network data scanning agent.
|
|