1.Detection and neutralization of threats. Scanning for malicious programs of any kind (various viruses, including those that infect mail files and boot records, trojans, email worms and so on) and unwanted software (adware, joke programs and dialers). For details on threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•a signature analysis—a scan method allowing to detect known threats registered in virus databases;
•a heuristic analysis—a set of scan methods allowing to detect threats that are not known yet;
•cloud-based threat detection technologies using the Dr.Web Cloud service that collects up-to-date information about recent threats detected by various Dr.Web anti-virus products.
|
The heuristic analyzer may cause false-positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you quarantine such files and send them for analysis to the Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats. |
When scanning the file system on the user request, it is possible to perform either a full scan of all the file system objects available to the user, or a custom scan of the specified objects only (individual directories or files that meet the specified criteria). In addition, it is possible to perform an individual check of boot records of volumes and executable files which started the processes that are currently active in the system. In the latter case, when a threat is detected, a malicious executable file is not only neutralized, but all processes started by it are forcibly terminated. On systems that implement a mandatory model of file access with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in a permanent threat registry, except those threats that were detected in autonomous copy mode.
The Dr.Web Ctl command-line tool bundled with Dr.Web for UNIX File Servers allows to scan file systems of remote network hosts providing remote terminal access via SSH or Telnet for threats.
|
Remote scanning can be used only for detection of malicious or suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, firmware can be updated on routers and other “smart” devices; computing machines require connecting to them (including in remote terminal mode) and performing corresponding operations in their file system (deleting or moving files, and so on), or running anti-virus software installed on them. |
2.Monitoring of access to files within:
•An OS file system. Monitors file events and attempts to run executables. This feature allows to detect and neutralize malware at an attempt to infect the server file system. Besides the standard monitoring mode, you can enable the enhanced (Paranoid) mode in which the monitor blocks access to files until their scanning is finished (this allows you to prevent access to an infected file, but a scanning result is available only after an application accesses a file). The enhanced mode increases the security level but slows down access to the files that are not scanned yet.
|
The volume monitoring feature is available only on operating systems of the GNU/Linux family. The component that provides this feature is not shipped for other supported OSes. |
•Samba shared directories. Read and write operations of local and remote users of the file server are monitored. This feature allows to detect and neutralize malware instantly at an attempt of copying it to the file storage, which prevents its further distribution over the network.
•Novell Storage Services volumes. Write operations of the NSS file storage users are monitored. This feature allows to detect and neutralize malware instantly at an attempt of copying it to the NSS storage, which prevents its further distribution over the network.
|
The Novell Storage Services volume monitoring feature is available only on Novell Open Enterprise Server SP2 based on SUSE Linux Enterprise Server 10 SP3 or later. The component providing this feature is not shipped for other supported OSes. |
4.Reliable isolation of infected or suspicious objects detected within the server file system in a special storage known as quarantine to prevent any harm to the system. When quarantined, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on user demand.
5.Automatic update of the scanning engine, virus databases to maintain the high level of protection against malware.
6.Collection of statistics on scans and threat events. Logging detected threats. Sending of notifications of detected threats via SNMP to external monitoring systems and a centralized protection server if Dr.Web for UNIX File Servers operates in centralized protection mode, as well as to the Dr.Web Cloud service.
7.Operation in centralized protection mode (when connected to a centralized protection server such as Dr.Web Enterprise Server or as a part of the Dr.Web AV-Desk service) to implement single security policies adopted within some network which comprises this server. It can be a corporate network, a private network (VPN) or a network of a service provider (for example, an internet service provider).