Operating Principles |
This component is used to access any file system objects (files, directories, boot records). It is started with superuser (root) privileges. It indexes all checked files and directories and saves all the data about the objects that have been checked to a special cache to avoid repeated checking of objects that have been already checked and have not been modified since that (in this case, if a request to check such an object is received, the previous check result, retrieved from cache, is returned). A diagram showing how the component works is given in the figure below. Figure 16. Diagram of the components’ operation When a request to check a file system object is received from Dr.Web for UNIX File Servers‘s components, it checks whether this object requires scanning. If so, a scanning task is generated for Dr.Web Scanning Engine. If the scanned object contains a threat, Dr.Web File Checker neutralizes it (deletes or quarantines) if this action has been specified by the client component that initiated the scanning. Scanning can be initiated by various components of the product (for example, by the SpIDer Guard for SMB monitor). During the scanning, the file-checking component generates and sends to the client component a report detailing the results of the scanning and the applied actions, if any. Apart from the standard scanning method, the following special methods are available for internal use: •The “flow” scanning method. A client component that uses this scanning method initializes detection and neutralization parameters only once. These parameters will be applied to all future requests to check a file coming from this client component. This method is used by the SpIDer Guard for SMB monitor. •The “proxy” scanning method. When this method is used, the file-checking component scans files without applying any actions to detected threats and without keeping any records about the detected threats to permit future action. Any necessary actions must be applied by the component that initiated the scanning process. This method is used by the SpIDer Guard for SMB monitor and by the Dr.Web ClamD component. Files can be scanned with the “flow” and “proxy” scanning methods using the using the flowscan and proxyscan commands of the Command-Line Call Format utility (launched by the command). However, for a normal on-demand scanning, it is recommended that you use the scan command. The component collects statistics on scanned files averaging the number of files scanned per second in the last minute, 5 minutes, 15 minutes. |