-h, --help

Show general help information and exit. To display the help information on any command, use the following call:

-v, --version

Show the module version and exit

-d, --debug

Show debug information when running the specified command. It cannot be run if a command is not specified. Use the following call:

scan <path>

Purpose: initiate scanning the specified file or directory by the file scanning component Dr.Web File Checker.

Arguments

<path>—path (can be relative) to the file or directory to be scanned.

This argument may be omitted if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see Usage Examples) and the --stdin or --stdin0 option.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX File Servers is controlled by it.

--stdin—get the list of paths to be scanned from the standard input stream (stdin). Paths in the list must be separated with the new line character (\n).

--stdin0—get the list of paths to scan from the standard input string (stdin). Paths in the list must be separated by the zero character NUL (\0).

--Exclude <path>—an excluded path. The path can be relative and contain a file mask (with the following wildcards: ? and *, as well as character classes [ ], [! ], and [^ ]).

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--FollowSymlinks—resolve symlinks automatically

bootscan
<device> | ALL

Purpose: start scanning boot records on specified disks using the file scan component Dr.Web File Checker. Both MBR and VBR records are scanned.

Arguments

<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX File Servers is controlled by it.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ShellTrace—display additional debug information when scanning a boot record

procscan

Purpose: initiate scanning of executables containing the code of currently running system processes with the Dr.Web File Checker component. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.

Arguments: none.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX File Servers is controlled by it.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

netscan [<path>]

Purpose: start distributed scanning of the specified file or directory using the Dr.Web Network Checker agent for network data scanning. If there are no configured connections to other hosts that are running Dr.Web for UNIX, then the scanning will be done only using the locally available scan engine (similar to the scan command).

Arguments

<path>—path to the file or directory to be scanned.

If this argument is omitted, data from the stdin input stream will be scanned.

Options

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

flowscan <path>

Purpose: start scanning the specified file or directory via Dr.Web File Checker using the “flow” method (normally this method is used internally by SpIDer Guard).

Arguments

<path>—path to the file or directory to be scanned.

Options

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using the signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

rawscan <path>

Purpose: start “raw” scanning of the specified file or directory with Dr.Web Scanning Engine directly, without the use of Dr.Web File Checker.

Arguments

<path>—path to the file or directory to be scanned.

Options

--ScanEngine <path>—path to the UNIX socket of Dr.Web Scanning Engine. If not specified, an autonomous instance of the scan engine will be started (which will be shut down once the scanning is complete).

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ListCleanItem—output the list of clean (non-infected) files found inside the container that was scanned.

--ShellTrace—enable display of additional debug information when scanning a file.

--Output <path to file>—duplicate the output of the command to the specified file

remotescan
<host> <path>

Purpose: start scanning the specified file or directory at the specified remote host having connected to it using SSH or Telnet.

Arguments

•<host>—IP address or a domain name of the remote host to be connected to for scanning.

•<path>—path to the file or directory to be scanned (the path must be absolute).

Options

-m [--Method] <SSH|Telnet>—remote host connection method (protocol).

If the method is not specified, SSH is used.

-l [--Login] <name>—login (user name) used for authorization on the remote host via the selected protocol.

If a user name is not specified, an attempt is made to connect to a remote host as the user who started the command.

-i [--Identity] <path to file>—private key file used for authentication of the specified user via the selected protocol.

-p [--Port] <number>—number of the port on the remote host for connecting via the selected protocol.

Default value: default port for the selected protocol (22 for SSH, 23 for Telnet).

--ForceInteractive—use the SSH interactive session (only for SSH connections).

Optional parameter.

--TransferListenAddress <address>—address for receiving files transferred from the remote device for scanning.

Optional parameter. If not indicated, an arbitrary address is used.

--TransferListenPort <port>—port for receiving files transferred from the remote device for scanning.

Optional parameter. If not indicated, an arbitrary port is used.

--TransferExternalAddress <address>—address for the remote device to send files for scanning.

Optional parameter. If not indicated, the --TransferListenAddress option value or the outgoing address of the already established session is used.

--TransferExternalPort <port>—port to transfer files for scanning, specified for the remote device.

Optional parameter. If not indicated, an automatically determined port is used.

--Password <password>—password used for authentication of a user via the selected protocol.

Please note that the password is passed as plain text.

--Exclude <path>—path to be excluded from scanning. The path can contain a file mask with the following allowed symbols: ? and *, as well as the symbol classes [ ], [! ], [^ ]. The path (including the path with the file mask) must be absolute.

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

update

Purpose: start the updating process of anti-virus components (virus databases, the scan engine, etc., depending on the distribution) from Doctor Web update servers or a local cloud using Dr.Web MeshD, terminate the updating process if it is already running, or perform rollback of the latest update to the previous versions of updated files.

Arguments: none.

Options

--From <path>—apply updates offline from a specified directory;

--Path <path>—store files for updating offline in a specified directory; if this directory already has files, then they will be updated;

--Rollback—rollback the last update, and restore the previous version of the files that have been updated during the last update;

--Stop—terminate the running update process

esconnect
<server>[:<port>]

Purpose: connect Dr.Web for UNIX File Servers to the specified centralized protection server (for example, Dr.Web Enterprise Server). For details on the operation modes, refer to the Operation Modes.

Arguments

•<server>—IP address or network name of the host on which the centralized protection server is operating. This argument is mandatory.

•<port>—port number used by the centralized protection server. The argument is optional and should be specified only if the centralized protection server uses a non-standard port.

Options

--Certificate <path>—a file path to a certificate of the centralized protection server, the connection to which will be established.

--Login <ID>—login (workstation identifier) used for connection to the centralized protection server.

--Password <password>—password for connection to the centralized protection server.

--Group <ID>—identifier of the group to which the workstation is added on connection.

--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the centralized protection server groups (can be specified only together with the --Group option).

--Compress <On|Off>—enable (On) or disable (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.

--Encrypt <On|Off>—enable (On) or disable (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.

--Newbie—connect as a “newbie” (get a new account on the server).

esdisconnect

Purpose: disconnect Dr.Web for UNIX File Servers from the centralized protection server and switch it to a standalone mode.

Arguments: none.

Options: none.

cfset
<section>.<parameter> <value>

Purpose: Change the active value of the specified parameter in the current configuration of Dr.Web for UNIX File Servers.

Arguments

•<section>—name of the configuration file section which provides the parameter. This argument is mandatory.

•<parameter>—name of the parameter to be changed. This argument is mandatory.

•<value>—new parameter value. This argument is mandatory.

Options

-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can accept a list of values). This option should also be used for adding new parameter groups with a tag.

-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, then the current parameter value (including a list of values) are substituted with the specified value.

If you use the -r option for sections that contain individualized parameter settings for the Dr.Web ClamD component connection points and shared directories for the SpIDer Guard for SMB monitor, the parameter value in the individualized settings section will be changed to the value of its corresponding “parent” parameter in the component settings section.

If you need to add a new connection point <point> for Dr.Web ClamD or parameter section for a Samba shared directory with the <tag> tag, use the command

cfset ClamD.Endpoint.<point> -a, for example:
cfset ClamD.Endpoint.point1 -a

cfset SmbSpider.Share.<tag> -a, for example:
cfset SmbSpider.Share.AccountingFiles -a

cfshow
[<section>[.<parameter>]]

Purpose: display parameters of the current configuration of Dr.Web for UNIX File Servers.

The command to display parameters is specified as follows: <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed by default.

Arguments

•<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed.

•<parameter>—name of the displayed parameter. Optional argument. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed.

Options

--Uncut—display all configuration parameters, and not only those used with the currently installed set of components. If the option is not specified, only parameters used by the installed components are displayed.

--Changed—display only those parameters whose values differ from the default ones.

--Ini—display parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

--Value—output only the value of the specified parameter. The <parameter> argument is mandatory in this case

reload

Purpose: reload the configuration of Dr.Web for UNIX File Servers.

For that purpose, the Dr.Web ConfigD configuration management daemon performs the following actions:

•rereads the configuration and notifies all Dr.Web for UNIX File Servers components about its changes;

•reopens the Dr.Web for UNIX File Servers log;

•starts the components that use virus databases (including the scanning engine);

•attempts to start those components that were shut down abnormally.

Arguments: none.

Options: none

threats
[<action> <object>]

Purpose: apply the specified action to earlier detected threats according to their identifiers. A type of the action is specified by the command option.

If the action is not specified, displays information about detected but not neutralized threats. The information about threats is displayed according the format, specified using the non-mandatory --Format option. If the --Format option is not specified, the following information is displayed for each threat:

•an identifier assigned to the threat (its ordinal number);

•the full path to the infected file;

•information about the threat (its name and type according to the classification of the Doctor Web company);

•information about the file: its size, owner, time of last modification;

•history of operations applied to an infected file: detection, applied actions, etc.

Arguments: none.

Options

--Format "<format string>"—output information about threats in the specified format. The description of the format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Directory <list of directories>—output only threats detected in files in directories from <list of directories>.

If this option is specified together with any option provided below, it is ignored.

--Cure <threat list>—attempt to cure the listed threats (threat identifiers are comma-separated);

--Quarantine <threat list>—quarantine the listed threats (threat identifiers are comma-separated);

--Delete <threat list>—delete the listed threats (threat identifiers are comma-separated);

--Ignore <threat list>—ignore the listed threats (threat identifiers are comma-separated).

If you need to apply the action to all detected threats, specify All> instead of <threat list. For example, the command

quarantines all detected malicious objects

quarantine
[<action> <object>]

Purpose: apply an action to the specified object in quarantine.

If the action is not specified, information about quarantined objects and their identifiers together with brief information about original files put in quarantine is displayed. Information about isolated objects is output according to a format specified with the optional --Format parameter. If the --Format parameter is not specified, the following information is output for every isolated (quarantined) object:

•an identifier assigned to a quarantined object;

•the original path to the file that was moved to quarantine;

•the date of putting the file in quarantine;

•information about the file: its size, owner, time of last modification;

•information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

Arguments: none.

Options

-a [--Autonomous]—start a separate instance of the Dr.Web File Checker file scanning component to perform the specified quarantine action and terminate it upon completion.

This option can be used together with any options mentioned below.

--Format "<format string>"—display information about quarantined objects in the specified format. The description of format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Discovery [<list of directories>,] searches for quarantine directories in the specified list of directories and add them to the consolidated quarantine upon detecting a threat. If the <list of directories> is not specified, search for quarantine directories in the common locations of the file system (volume mounting points and user home directories).

This option can be specified not only with the -a (--Autonomous) option (see above), but also with any options/actions listed below. Moreover, if the quarantine command is run as an autonomous copy, that is, with the -a (--Autonomous) option but without the --Discovery option, then it has the same effect as calling:

--Delete <object>—delete the specified quarantined object.

Note that quarantined objects are deleted permanently—this action is irreversible.

--Cure <object>—try to cure the specified object in the quarantine.

Note that even if the object was successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore option.

--Restore <object>—restore the specified object from the quarantine to its original location.

Note that this command may require drweb-ctl to be run with superuser privileges. You can restore the file from quarantine even if it is infected.

--TargetPath <path>—restore an object from quarantine to the specified location: either as a file with the the specified name (if <path> is a path to a file), or to the specified directory (if <path> is a path to a directory). A path can be absolute or relative (referring to a current directory).

Note that this option can only be used in combination with the --Restore option.

As an <object>, specify the object identifier in quarantine. To apply the action to all quarantined objects, specify All> instead of <object. For example, the command

restores all quarantined objects and puts them in the test subdirectory located in the current directory from which the drweb-ctl command was run.

Note that if the --Restore All variant is indicated together with the additional option --TargetPath, it must set a path to a directory, not to a file

%{n}

New line

%{t}

Tabulation

%{threat_name}

The name of detected threat (virus) according to Doctor Web classification

%{threat_type}

Threat type (“known virus”, and so on) according to Doctor Web classification

%{size}

Original file size

%{origin}

The full name of the original file with path

%{path}

Synonym of %{origin}

%{ctime}

Modification date/time of the original file in "%Y-%b-%d %H:%M:%S" format (for example, "2018-Jul-20 15:58:01")

%{timestamp}

Similar to %{ctime}, but in the UNIX timestamp format

%{owner}

The original file owner

%{rowner}

The remote owner of the original file (if not applicable or value is unknown it is replaced with ?)

%{hid}

The identifier of the threat record in the history of events associated with the threat

%{tid}

Threat identifier

%{htime}

Date/time of the event related to the threat

%{app}

The identifier of the Dr.Web for UNIX File Servers component which processed a threat

%{event}

The latest event related to a threat:

•FOUND—a threat was detected;

•Cure—a threat was cured;

•Quarantine—a file with a threat was quarantined;

•Delete—a file with threat was deleted;

•Ignore—a threat was ignored;

•RECAPTURED—a threat was detected by another component

%{err}

Error message text (if no error has occurred, the text is replaced with an empty string)

%{qid}

The identifier of the quarantined object

%{qtime}

Date/time of moving the object to quarantine

%{curetime}

Date/time of curing attempt of the quarantined object (if not applicable or the value is unknown, it is replaced with ?)

%{cureres}

The result of the quarantined object curing attempt:

•cured—the threat was cured;

•not cured—the threat was not cured or no curing attempts were made

appinfo

Purpose: output information about active Dr.Web for UNIX File Servers components.

The following information is output for each running component:

•internally used name;

•GNU/Linux process identifier (PID);

•state (running, stopped, and so on);

•error code, if the component has been terminated owing to an error;

•additional information (optional);

For the configuration daemon (drweb-configd), the following is output as additional information:

•the list of installed components—Installed;

•the list of components which must be run by the configuration daemon—Should run.

Arguments: none.

Options

-f [--Follow]—wait for new messages on module status change and display them once such a message is received (CTRL+C interrupts waiting)

baseinfo

Purpose: display the current version of the scan engine and status of virus databases.

The following information is displayed:

•version of the scan engine;

•release date and time of the virus databases being used;

•the number of available virus records;

•the time of the last successful update of the virus databases and of the scan engine;

•the time of the next scheduled automatic update.

Arguments: none.

Options

-l [--List]—display the full list of downloaded files of virus databases and number of virus records in each file

certificate

Purpose: display contents of the trusted Dr.Web certificate used by Dr.Web for UNIX File Servers. To save the certificate to the <cert_name>.pem file, you can use the following command:

Arguments: none.

Options: none

events

Purpose: view Dr.Web for UNIX File Servers events. Apart from that, this command allows you to manage the events (marking as read, deleting).

Arguments: none.

Options

--Report <type>—specify an event report type.

Allowed values:

•BRIEF—brief report;

•DEBUG—detailed report;

•JSON—serialized report in the JSON format.

-f [--Follow]—wait for new events and display them upon their occurrence (CTRL+C interrupts the standby).

-s [--Since] <date, time>—show the events that occurred before the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—show the events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-t [--Types] <type list>—show the events of the specified types only (types are comma-separated).

The following event types are available:

•Mail—indicates that a threat has been detected in an email;

•UnexpectedAppTermination—unexpected shutdown of a component.

To view all types of events, use All.

--ShowSeen—display already read events as well;

--Show <list of events>—display the listed events (event identifiers are comma-separated);

--Delete <list of events>—remove the listed events (event identifiers are comma-separated);

--MarkAsSeen <list of events>—mark the listed events as read (event identifiers are comma-separated).

If you want to mark as “read” or delete all events, specify All> instead of <events list. For example, the command

will mark all existing events as “read”

report <type>

Purpose: create a report on Dr.Web for UNIX File Servers events in the HTML format (the page body is output to the specified file).

Arguments

<type>—event type that required reporting (indicate one type). See possible values in the --Types option description of the events command above. A mandatory argument.

Options

-o [--Output] <path to file>—save the report to the specified file. The option is mandatory.

-s [--Since] <date, time>—report events that occurred no earlier than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—report events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

--TemplateDir <path to directory>—a path to the directory that contains HTML report templates.

Options -s, -u, and --TemplateDir are not mandatory. For example, the command:

generates a report on all existing email threat detection events, the port being based on the default template, and saves the result to the report.html file in the current directory

license

Purpose: display the information about the currently active license, get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company website).

If no options are specified, then the following information is output (if you are using a license for the standalone mode):

•a license number,

•date and time when the license expires.

If you are using a license provided to you by a centralized protection server (for the use of the product in the centralized protection mode or mobile mode), the corresponding message is output.

Arguments: none.

Options

--GetDemo—request a demo key that is valid for one month and receive this key, if the conditions for the provision of a demo period have not been violated.

--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in the centralized protection mode, when the license is managed by a centralized protection server).

If the serial number is not the one provided for a demo period, you must first register this number at the company website.

--Proxy http://<username>:<password>@<server address>:<port>— get a license key via the proxy server (used only with one of the previously mentioned options — --GetDemo or --GetRegistered).

For further information about licensing Dr.Web products, refer to the section Licensing.

log

Purpose: display the latest log records of Dr.Web for UNIX File Servers in the console (the stdout stream, similar to the tail command).

Arguments: none.

Options

-s [--Size] <number>—the number of the last log records that are to be displayed on a screen.

-c [--Components] <components list>—the list of component identifiers, which records are displayed. Identifiers are defined with comma separation. If the argument is not defined, all available records logged by all components are displayed.

Actual identifiers of the installed components (e.g. internal component names displayed in the log) can be displayed with the appinfo command (see above).

-f [--Follow]—wait for new messages in log and display them once they are received (interrupt waiting by pressing CTRL+C)

stat

Purpose: display statistics about the operation of components that process files or about the operation of the network data scanning agent Dr.Web Network Checker (press CTRL+C or Q to interrupt displaying the statistics).

The statistics output includes:

•a name of the component that initiated file scanning;

•component PID;

•an average number of files processed per second during the last minute, 5 minutes, 15 minutes;

•a percentage of using the cache of the scanned files;

•an average number of scan errors per second.

For the distributed scanning agent, the following information is displayed:

•a list of local clients that initiated scanning;

•a list of remote hosts that received files for scanning;

•a list of remote hosts that sent files for scanning.

For local clients of the distributed scanning agent, their PID and name are specified; for remote clients—an address and port of the host.

For both clients—local and remote—the following information is displayed:

•an average number of files scanned per second;

•an average number of sent and received bytes per second;

•an average number of errors per second.

Arguments: none.

Options

-n [--netcheck]—display statistics on operation of the network data scanning agent