Operating Principles |
SpIDer Guard for SMBoperates in daemon mode (usually it is started by the Dr.Web ConfigD configuration daemon on system startup). After startup, the component operates as a server to which special plug-ins are connected (VFS SMB modules) that operate on the server side and monitors user activity in shared directories. When a new or modified file is found on a volume, the monitor instructs the Dr.Web File Checker file checker to scan the file. Monitor operation scheme is shown in the figure below. Figure 13. Diagram of the components’ operation If a file scanned at request of the monitor is infected with an incurable threat or with a threat for which the “Block” action is specified, the monitor instructs the VFS SMB module controlling the corresponding shared directory to block this file (that is, to prevent users from reading, editing, and running the file). A text file is also created next to the blocked object, if this setting is not disabled. The created text file describes the reason why the object was block. It is necessary to avoid the “unexpected disappearance” of the file to which the action “Delete” or “Move to quarantine” was applied. Thus, it prevents users from multiple attempts to recreate the moved or deleted file. Moreover, this text file also notifies the user that the computer may be infected with a malicious program. If informed on this, the user can start anti-virus scanning of the computer and neutralize local detected threats. Additionally file (depending on the value of the corresponding configuration parameter) can be blocked upon the scanning error, including the case when there is no valid license, which provides operation of SpIDer Guard for SMB. You can disable monitoring of the specified files and directories stored in controlled shared directories of the server. It can be useful when, for example, some files are frequently modified, which results in constant repeated scanning of these files and, thus, can increase system load. If it is known with certainty that frequent modification is typical for these files in the file server’s storage, it is recommended that you add them to the list of exclusions. In this case, the monitor stops responding to modification of these objects and their scanning is not initiated. To distinguish between directories that are to be monitored and the exclusions, the file storage monitor for —SpIDer Guard for SMB—uses two configuration parameters: •IncludedPath—paths to be monitored (“monitoring scope”). •ExcludedPath—paths to be excluded from monitoring (“exclusion scope”). Normally, as the monitoring scope, the monitor uses the entire shared directory. If you specify different monitoring and exclusion scopes, only those files in shared directory are monitored whose paths are not specified in the ExcludedPath parameter or are specified in the IncludedPath parameter. If a path is specified in both parameters, the IncludedPath parameter has higher priority than the other one: the objects in the included path will be monitored by the Samba shared directories monitor—AppendixesSpIDer Guard for SMB. Thus, use the IncludedPath parameter to add some files and directories for monitoring if they are located in the exclusion scope. You can specify different protection parameters for different shared directories monitored by SpIDer Guard for SMB, including different monitoring and exclusion scope as well as reaction to detected threats. For that purpose, in the configuration section of SpIDer Guard for SMB, specify individual settings for VFS SMB modules that control shared directories. |