Main Functions

1.Detection and neutralization of malicious programs (for example, viruses, including those that infect mail files and boot records, Trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers). For details on methods used to neutralize threats, refer to Appendix A. Types of Computer Threats.

•Heuristic analysis, which allows detection of threats that are not present in virus databases

•Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.

Note that the heuristics analyzer may raise false alarms. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats.

File system scanning can be started in two ways: on demand and automatically, according to the schedule. There are two modes of scanning: full scan (scan of all file system objects) and custom scan (scan of selected objects: directories or files). Moreover, the user can start a separate scan of volume boot records and executable files that ran currently active processes. In the latter case, if a malicious executable file is detected, it is neutralized and all processes run by this file are forced to terminate.

For operating systems that have a graphic desktop environment, there is the integration of scanning functions with control panel as well as with file manager. In operating systems with mandatory access to files with several different access levels, the scanning of files, which are unavailable on the current access level, can be performed in autonomous copy mode.

Command-line management tool included in the product allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH.

The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, etc.), or via running an anti-virus software installed on them.

2.Monitoring of file reference. File events and attempts to run executable files are monitored. This feature allows to detect and neutralize malware at its attempt to infect the computer.

3.Monitoring of network connections. All attempts to access Internet servers (web servers, mail servers, file servers) are monitored in order to block access to the websites of the unwanted categories, and to prevent the transfer of email messages with infected files, unwanted links or spam. Check of email messages and files downloaded for viruses and other threats from the web is performed on the fly. To restrict access to unwanted websites, Dr.Web for Linux supports a database of web resource categories that is automatically updated, and black and white lists that are edited by the user. Dr.Web Cloud service is also used to check whether the requested web resource is marked malicious by other anti-virus products of Dr.Web.

Depending on a distribution, the anti-spam library could be unavailable. In this case, scanning of email messages for signs of spam is not performed.

If any email messages are falsely detected by the anti-spam library, it is recommended that they are forwarded to special addresses for analysis and improvement of spam filter quality:

•email messages, incorrectly assessed as spam, should be forwarded to vrnonspam@drweb.com;

•spam email messages, which were not detected as spam, should be forwarded to vrspam@drweb.com.

Each email message that is subject to analysis should be preliminary saved in the .eml format. Saved files should be attached to the email message sent to the required service address.

4.Reliable isolation of infected or suspicious objects. Such objects are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.

5.Automatic updating of Dr.Web virus databases and of the anti-virus engine to support a high level of protection against malware.

6.Operation under the control of a central protection server (such as a Dr.Web Enterprise Server, or through a subscription to the Dr.Web AV-Desk service). This mode makes it possible to implement a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, of an Internet service provider).

Use of the information stored in the service Dr.Web Cloud requires transfer of data on user activity (for example, addresses of visited websites). Thus, Dr.Web Cloud can be used only after the corresponding user agreement is received. When necessary, the use of Dr.Web Cloud can be disabled at any time in the program settings.