Main Functions

1.Detection and neutralization of malicious programs (for example, viruses, including those that infect mail files and boot records, trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers, and so on). For details on methods used to neutralize threats, refer to Appendix A. Types of Computer Threats.

•Signature analysis, which allows detection of known threats from virus databases.

•Heuristic analysis, which allows detection of threats that are not present in virus databases.

•Cloud-based threat detection technologies, using the Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.

Note that the heuristics analyzer may raise false alarms on software activities which are not malicious. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats.

File system scanning can be started in two ways: on demand and automatically, according to the schedule. There are two modes of scanning: full scan (scan of all file system objects) and custom scan (scan of selected objects: directories or files). Moreover, the user can start a separate scan of volume boot records and executable files that ran currently active processes. In the latter case, if a malicious executable file is detected, it is neutralized and all processes run by this file are forced to terminate.

For operating systems with a graphical desktop environment, integration of file scanning with either the taskbar or a graphic file manager is available. For systems that implement mandatory access control with different access levels, files that are not available for a current level can be scanned as an offline copy.

All objects containing threats detected in the file system are registered in the permanently stored threats registry, except those threats that were detected in the autonomous copy mode.

The command-line tool included in Dr.Web for Linux, allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH or Telnet.

Remote scanning can only be used to detect malicious and suspicious files on a remote host. To eliminate the detected threats on the remote host, use administration tools provided directly by this host. For example, for routers and other smart devices, update the firmware; for computing machines, connect to them (using a remote terminal mode as one of the options) and perform the necessary operations with the file system (remove or move files, etc.), or run the anti-virus software installed on them.

2.Monitoring access to files. This mode tracks the access to data files and attempts to run executables. This allows you to detect and neutralize malware when it attempts to infect the computer. In addition to the standard monitoring mode, you can use the enhanced (or Paranoid) mode, so that the monitor blocks access to files until the scan is completed (this helps prevent access to files that contain a threat; however, the scan result only becomes known after the application manages to access the file). The enhanced monitoring mode increases security, but slows down the access to non-verified files for applications.

3.Monitoring of network connections. All attempts to access internet servers (web servers, file servers) via the HTTP and FTP protocols are monitored to block access to websites or hosts of the unwanted categories, and to prevent downloading malicious files.

4.Scanning of email messages to prevent receiving and sending emails containing infected files and unwanted links, as well as emails classified as spam.

Scan of email messages and files downloaded for viruses and other threats from the web is performed on the fly. Depending on the distribution, Dr.Web Anti-Spam could be unavailable in Dr.Web for Linux. In this case, email messages will not be scanned for signs of spam.

To restrict access to unwanted websites, Dr.Web for Linux supports a database of web resource categories that is automatically updated, and black and white lists that are edited by the user. Dr.Web CloudD service is also used to check whether the requested web resource is marked malicious by other anti-virus products of Dr.Web.

If any email messages are falsely detected by the email anti-spam component Dr.Web Anti-Spam, we recommend you to forward them to special addresses for analysis and improvement of spam filter quality. To do that, save each message to a separate .eml file. Then attach the files to an email message and forward it to the special address.

•nonspam@drweb.com—if it contains email files, erroneously considered spam;

•spam@drweb.com—if it contains spam email files, failed to be recognized as spam.

5.Reliable isolation of infected or suspicious objects. Such objects are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.

6.Automatic updating of Dr.Web virus databases and of the scan engine to support a high level of protection against malware.

7.Collection of statistics on virus events, logging threat detection events (available only via command line tool), as well as the sending of statistics on virus incidents to Dr.Web Cloud service.

8.Operation in the centralized protection mode (when connected to the centralized protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, an internet service provider).

Use of the information stored in the service Dr.Web Cloud requires transfer of data on user activity (for example, addresses of visited websites). Thus, Dr.Web Cloud can be used only after the corresponding user agreement is received. When necessary, the use of Dr.Web Cloud can be disabled at any time in the program settings.