File Monitoring Modes

General Information

File system monitor SpIDer Guard that controls access to files may use three monitoring modes:

Regular (set by default)—SpIDer Guard monitors file access (creation, opening, closing, and running) and requests the file scanning. If a threat is detected upon the scan, an action is applied to neutralize the threat. Apps are allowed to access the file until the file scanning is finished.

Enhanced control of executable files—SpIDer Guard monitors files considered as non-executable like in the regular mode. Access to files that are considered as executable is blocked at the access attempt until the file scanning is finished.

Executable files are binary files of formats PE and ELF as well as text script files containing the “#!” preamble.

“Paranoid” mode—SpIDer Guard blocks access to a file at any access attempt until the file scanning is finished.

Scanner stores file scan results in a special cache for a certain time, so when re-accessing the same file, the file is not rescanned if there is information in the cache, and this data is displayed instead of a scan result. Despite this, the use of the Paranoid monitoring mode leads to a significant slowdown in accessing files.

Switching Between File Monitoring Modes

The modes for enhanced monitoring of files and pre-blocking are only available if SpIDer Guard works in the FANOTIFY mode and the OS kernel is built with the option CONFIG_FANOTIFY_ACCESS_PERMISSIONS enabled.

 

Switching between the monitoring modes for SpIDer Guard is performed using the cfset command of the drweb-ctl utility.

 

To switch between SpIDer Guard monitoring modes, administrative (root) privileges are required. To obtain them, you can use the su command to switch to another user or the sudo command to perform the action as a different user.

To switch SpIDer Guard into the FANOTIFY mode, use the following command:

$ sudo drweb-ctl cfset LinuxSpider.Mode FANOTIFY

To change the monitoring mode, use the command:

$ sudo drweb-ctl cfset LinuxSpider.BlockBeforeScan <mode>

where <mode> defines the blocking mode:

Off—access is not blocked, SpIDer Guard operates in regular (not blocking) monitoring mode.

Executables—access to executable files is blocked, SpIDer Guard enhances monitoring of executable files.

All—access to all files is blocked, SpIDer Guard monitors files in “paranoid” mode.

To change the validity period for the file scan results in the cache, use the command:

$ sudo drweb-ctl cfset FileCheck.RescanInterval <period>

where the <period> parameter determines the validity period for scan results, stored in the cache. It can have a value from 0s through 1m. If you set an interval smaller than 1 second, there will be no delay and files will be scanned upon any request.