-h, --help

Show general help information and exit. To display the help information on any command, use the following call:

-v, --version

Show information on the module version and exit

-d, --debug

Instructs to show debug information upon execution of the specified command. It cannot be executed if a command is not specified. Use the call

scan <path>

Purpose: Start checking the specified file or directory with the Scanner.

Arguments:

<path>—path to the file or directory which is selected to be scanned.

This argument may be omitted, if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see the Usage Examples) and the --stdin or --stdin0 option.

Options:

-a [--Autonomous]—run a specified scanning by a separate instance of Scanning Engine and the Scanner, then terminate their operation after the scanning task is completed. Note that threats detected during an autonomous scanning are not displayed in the common threat list that is displayed using the threats command (see below).

--stdin—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the next line character ('\n').

--stdin0—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the zero character NUL ('\0').

--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.

Allowed values:

•BRIEF—brief report.

•DEBUG—detailed report.

Default value: BRIEF

--ScanTimeout <number>—specify timeout to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On

--OnKnownVirus <action>—action applied to a threat detected by using signature-based analysis.

Allowed values: REPORT, CURE, QUARANTINE, DELETE.

Default value: REPORT

--OnIncurable <action>—action applied on failure to cure a detected threat or if a threat is incurable.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnSuspicious <action>—action applied to a suspicious object detected by heuristic analysis.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnAdware <action>—action applied to detected adware programs.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnDialers <action>—action applied to dialers.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnJokes <action>—action applied to joke programs.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnRiskware <action>—action applied to potentially dangerous programs (riskware).

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnHacktools <action>—action applied to hacktools.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

bootscan
<disk drive> | ALL

Purpose: Run checking boot records on the specified disks by the Scanner. Both MBR and VBR records are scanned.

Arguments:

<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.

Options:

-a [--Autonomous]—run a specified scanning by a separate instance of Scanning Engine and the Scanner, then terminate their operation after the scanning task is completed. Note that threats detected during an autonomous scanning are not displayed in the common threat list that is displayed using the threats command (see below).

--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.

Allowed values:

•BRIEF—brief report.

•DEBUG—detailed report.

Default value: BRIEF

--ScanTimeout <number>—specify timeout to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

--ShellTrace—enable display of additional debug information when scanning a boot record.

procscan

Purpose: Start checking executable files containing code of currently running processes with the Scanner. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.

Arguments: None.

Options:

-a [--Autonomous]—run a specified scanning by a separate instance of Scanning Engine and the Scanner, then terminate their operation after the scanning task is completed. Note that threats detected during an autonomous scanning are not displayed in the common threat list that is displayed using the threats command (see below).

--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.

Allowed values:

•BRIEF—brief report.

•DEBUG—detailed report.

Default value: BRIEF

--ScanTimeout <number>—specify timeout to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--OnKnownVirus <action>—action applied to a threat detected by using signature-based analysis.

Allowed values: REPORT, CURE, QUARANTINE, DELETE.

Default value: REPORT

--OnIncurable <action>—action applied on failure to cure a detected threat or if a threat is incurable.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnSuspicious <action>—action applied to a suspicious object detected by heuristic analysis.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnAdware <action>—action applied to detected adware programs.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnDialers <action>—action applied to dialers.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnJokes <action>—action applied to joke programs.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnRiskware <action>—action applied to potentially dangerous programs (riskware).

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnHacktools <action>—action applied to hacktools.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

remotescan
<host> <path>

Purpose: Connect to the specified remote host and start scanning the specified file or directory using SSH.

Arguments:

<host>—IP address or a domain name of the remote host.

<path>—path to the file or directory which is selected to be scanned.

Options:

-l [--Login] <name>—login (user name) used for authorization on the remote host via SSH.

If a user name is not specified, there will be an attempt to connect to a remote host on behalf of the user who has launched the command.

-i [--Identity] <path to file>—path to the file containing a private key used for authentication of the specified user via SSH.

-p [--Port] <number>—number of the port on the remote host for connecting via SSH.

Default value: 22

--Password <password>—password used for authentication of a user via SSH.

Please note that the password is transferred as a plain text.

--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.

Allowed values:

•BRIEF—brief report.

•DEBUG—detailed report.

Default value: BRIEF

--ScanTimeout <number>—specify timeout to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, etc.).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (pst, tbb, etc.).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On

checkmail
<path to file>

Purpose: To perform scanning of a mail message, which is saved to a file, for threats, signs of spam, or non-compliance with rules of mail processing. The console output thread (stdout) will display the results of the message scanning and the action applied to this message in the course of scanning.

Arguments:

<path to file> – path to file of the mail message that requires scanning. Mandatory argument.

Options:

--Report <BRIEF|DEBUG>—specify the type of the report with scanning results.

Allowed values:

•BRIEF—brief report.

•DEBUG—detailed report.

Default value: BRIEF

-r [--Rules] <list of rules>—indicate a list of rules to follow during an email message scanning.

If the rules are not indicated, the set of rules used by default will be used.

-c [--Connect] <IP>:<port> – indicate a network socket that will be used as an address for connection by a sender of the scanned message.

-e [--Helo] <name>—indicate an identifier of a client that sent a message (IP address or FQDN host, as for the SMTP command HELO/EHLO).

-f [--From] <email>—indicate an email address of a sender (as for the SMTP command MAIL FROM).

If the address is not indicated, the respective address from an email will be used.

-t [--Rcpt] <email>—indicate an email address of a recipient (as for the SMTP command RCPT TO).

If the address is not indicated, the respective address from an email will be used.

update

Purpose: Instruct the updating Component to download and install updates to virus databases and components from Doctor Web update servers or terminate a running update process.

The command is not executed if Dr.Web for Linux is connected to the central protection server.

Arguments: None.

Options:

--Stop—terminate the running updating process.

esconnect
<server>[:<port>]

Purpose: Connect Dr.Web for Linux to the specified central protection server (for example, Dr.Web Enterprise Server).

For details on Dr.Web for Linux operation modes, refer to theOperation Modes section.

Arguments:

•<server>—IP address or network name of the host on which the central protection server is operating. This argument is mandatory.

•<port>—port number used by the central protection server. The argument is optional and should be specified only if the central protection server uses a non-standard port.

Options:

--Key <path>—path to the public key file of the central protection server to which connection is performed.

--Login <ID>—login (workstation identifier) used for connection to the central protection server.

--Password <password>—password for connection to the central protection server.

--Group <ID>—identifier of the group to which the workstation is added on connection.

--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the central protection server groups (can be specified only together with the --Group option).

--Compress <On|Off>—enables (On) or disables (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.

--Encrypt <On|Off>—enables (On) or disables (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.

--Newbie—connect as a “newbie” (get a new account on the server).

esdisconnect

Purpose: Disconnect Dr.Web for Linux from the central protection server and switch its operation to Standalone mode.

The command has no effect if Dr.Web for Linux is in Standalone mode.

Arguments: None.

Options: None.

cfset
<section>.<parameter> <value>

Purpose: to change the active value of the specified parameter in the current configuration.

Note that an equals sign is not allowed.

Arguments:

•<section>—name of the configuration file’s section where the parameter resides. This argument is mandatory.

•<parameter>—name of the parameter. The argument is mandatory.

•<value>—new value that is to be assigned to the parameter. The argument is mandatory.

The following format is used to specify the parameter value <section>.<parameter> <value>.

For description of the configuration file, refer to the documentation man: drweb.ini(5).

Options:

-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can have several values, specified as a list). You should also use this option to when adding a new parameter group identified by a tag.

-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, then the current parameter value (the entire list of values, if the parameter currently holds several values) are substituted with the specified value.

cfshow
[<section>[.<parameter>]]

Purpose: Display parameters of the current configuration.

The command to display parameters is specified as follows <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed.

Arguments:

•<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed.

•<parameter>—name of the displayed parameter. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed.

Options:

--Uncut—display all configuration parameters (not only those used with the currently installed set of components). If the option is not specified, only parameters used for configuration of the installed components are displayed.

--Changed—display only those parameters whose values differ from the default ones.

--Ini—display parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

--Value—display only value of the specified parameter (the <parameter> argument is mandatory in this case).

reload

Purpose: Restart Dr.Web for Linux service components. At that, logs are opened, the configuration file is reread, and the attempt to restart abnormally terminated components is then performed.

Arguments: None.

Options: None.

threats
[<action> <object>]

Purpose: Apply the specified action to detected threats, selected by their identifiers. Type of the action is specified by the command’s option.

If the action is not specified, displays information on detected but not neutralized threats. For each threat the following information is displayed:

•Identifier assigned to the threat (its ordinal number)

•The full path to the infected file

•Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company)

•Information about the file: size, the file owner’s user name, the time of last modification

•History of operations applied to the threat: detection, applied actions etc.

Arguments: None.

Options:

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is applied along with any options mentioned below, it is ignored.

--Cure <threat list>—attempt to cure the listed threats (list threat identifiers separating them with commas).

--Quarantine <threat list>—move the listed threats to quarantine (list threat identifiers separating them with commas).

--Delete <threat list>—delete the listed threats (list threat identifiers separating them with commas).

--Ignore <threat list>—ignore the listed threats (list threat identifiers separating them with commas).

If it is required to apply the command to all detected threats, specify All instead of <threat list>. For example:

moves all detected malicious objects to quarantine.

quarantine
[<action> <object>]

Purpose: Apply an action to the specified object in quarantine.

If an action is not specified, information on quarantined objects and their identifiers together with brief information on the original files moved to quarantine is displayed. For every isolated (quarantined) object the following information is displayed:

•Identifier assigned to the quarantined object

•The original path to the file, before it was moved to quarantine.

•The date when the file was put in quarantine

•Information about the file: size, the file owner’s user name, the time of last modification

•Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company)

Arguments: None.

Options:

-a [--Autonomous]—start a separate copy of Scanner to perform the specified quarantine command and shut it down after the command is executed.

This option can be applied along with any options mentioned below.

--Delete <object>—delete the specified object from quarantine.

Note that objects are deleted from quarantine permanently—this action is irreversible.

--Cure <object>—try to cure the specified object in the quarantine.

Note that even if the object is successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore command.

--Restore <object>—restore the specified object from the quarantine to its original location.

Note that this command may require drweb-ctl to be started with root privileges. You can restore the file from quarantine even if it is infected.

--TargetPath <path>—restore an object from the quarantine to the specified location: either as a file with the name specified here (if the <path> is a path to a file), or just to the specified directory (if the <path> is a path to a directory).

Note that this option can be used only in combination with the --Restore command.

As an <object> specify the object identifier in quarantine. To apply the command to all quarantined objects, specify All instead of <object>. For example,

restores all quarantined objects.

Note that for the --Restore All variant the additional option --TargetPath, if specified, must set a path to a directory, not a path to a file.

appinfo

Purpose: Display information on active Dr.Web for Linux modules.

The following information is displayed for every module:

•Internally-used name

•Process identifier GNU/Linux (PID).

•State (running, stopped etc.)

•Error code, if the work of the component has been terminated because of an error

•Additional information (optionally).

For the configuration daemon (drweb-configd) the following is displayed as additional information:

•The list of installed components—Installed

•The list of components which must be launched by the configuration daemon—Should run.

Arguments: None.

Options:

-f [--Follow]—wait for new messages on module status change and display them once such a message is received (CTRL+C interrupts the waiting).

baseinfo

Purpose: Display the information on the current version of the Virus-Finding Engine and status of virus databases.

The following information is displayed:

•Version of the anti-virus engine

•Date and time when the virus databases that are currently used were issued.

•The number of available virus records (in the virus databases)

•The time of the last successful update of the virus databases and of the anti-virus engine

•The time of the next scheduled automatic update

Arguments: None.

Options: None.

certificate

Purpose: Display contents of the trusted Dr.Web certificate used by Dr.Web for Linux to check protected connections if this option is enabled on the settings page. To save the certificate to the <cert_name>.pem file, you can use the following command:

Arguments: None.

Options: None.

license

Purpose: Show the information about the currently active license, or get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company’s website).

If no options are specified, then the following information is displayed (if you are using a license for the Standalone mode):

•License number

•Date and time when the license will expire

If you are using a license provided to you by a central protection server (for the use of the product in the Central protection mode or in the Mobile mode), then the following information will be displayed:

Arguments: None.

Options:

--GetDemo—request a demo key that is valid for one month, and receive this key, if the conditions for the provision of a demo period have not been breached.

--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in the Central protection mode, when the license is managed by a central protection server).

If the serial number is not the one provided for the demo period, you must first register it at the company’s website.

For further information about the licensing of Dr.Web products, refer to the Licensing section.