Quarantine Directories

Top  Previous  Next

Quarantine directories serve for isolation of files that pose a threat to system security and cannot be currently cured. Such threats are those that are unknown to Dr.Web for Linux (that is, a virus is detected by the heuristic analyzer but the virus signature and method to cure are absent in the databases) or those that caused an error during scanning. Moreover, a file can be quarantined on demand if the user selected this action in the list of detected threats or specified this action in Scanner or SpIDer Guard settings as reaction to this threat type.

When a file is quarantined, it is renamed according to special rules. Renaming of isolated files prevents their identification by users or applications and complicates access to them in case of attempt to bypass quarantine management tools implemented in Dr.Web for Linux. Moreover, when a file is moved to quarantine, the execution bit is reset to prevent an attempt to run this file.

Quarantine directories are located in

user home directory (if multiple user accounts exist on the computer, a separate quarantine directory can be created for each of the users)

Root directory of each logical volume mounted to the file system

Dr.Web for Linux quarantine directories are always named as .com.drweb.quarantine and are not created until the Quarantine (Isolate) action is applied. At that, only a directory required for isolation of a concrete object is created. When selecting a directory, the file owner name is used: search is performed upwards from the location where the malicious object resides and if the owner home directory is reached, the quarantine storage created in this directory is selected. Otherwise, the file is isolated in the quarantine created in the root directory of the volume (which is not always the same as the file system root directory). Thus, any infected file moved to quarantine always resides on the volume, which provides for correct operation of quarantine in case several removable data storages and other volumes are mounted to different locations in the system.

Users can manage objects in quarantine both in graphical mode and from the command line. Every action is applied to the consolidated quarantine; that is, changes affect all quarantine directories available at the moment. From the viewpoint of the user, the quarantine directory located in the user home directory is considered User quarantine and other directories are considered System quarantine.

Operation with quarantined objects is allowed even if no active license is found. However, isolated objects cannot be cured in this case.