Real-Time File System Protection

The file system monitor SpIDer Guard protects your computer in real time and prevents infecting of your computer. SpIDer Guard automatically launches upon Windows startup and scans file when they are opened, run, or edited. SpIDer Guard also monitors actions of launched processes.

3.Enable or disable the file system monitor SpIDer Guard by using the switcher

With the default settings, SpIDer Guard performs on-access scans of files that are being created or changed on the hard drives and all files that are opened on removable media. Moreover, SpIDer Guard constantly monitors all running processes and blocks malicious processes.

By default, SpIDer Guard loads automatically when Windows starts and cannot be unloaded during the current Windows session.

If infected objects are detected, SpIDer Guard applies actions according to the specified parameters. The default settings are optimal for most cases. Do not change them unnecessarily.

1.Make sure Dr.Web operates in administrator mode (the lock at the bottom of the program window is open

). Otherwise, click the lock

By default, SpIDer Guard performs on-access scans of files that are being created or changed on the hard drives and all files that are opened on removable media, as well as blocking the automatic startup of their active content. This method prevents your computer from getting infected through removable media, as SpIDer Guard monitors your file system accesses in the real-time mode and blocks the execution of malicious code.

Operating system may register some removable media as hard drives (for example, portable USB hard drives). In this case, the Safely Remove Hardware and Eject Media icon is not displayed in the Windows notification area. Unless in paranoid scan mode, SpIDer Guard does not perform scanning when reading a file from such a disk. Scan such devices with Dr.Web Scanner when you connect them to the computer.

You can enable or disable the Scan removable media and Block autorun for removable media options by using the switcher

in the Scan options setting group.

In this group, you can configure actions that Dr.Web will apply to threats detected by the file system monitor SpIDer Guard.

The actions are set separately for each type of malicious and suspicious objects. These actions vary for different object types. The recommended actions are set by default for each type of objects. Copies of all processed objects are stored in Quarantine.

The following actions can be applied to threats:

Action	Description
Cure, move to quarantine if not cured	Instructs to restore the original state of the object before infection. If the object is incurable, or the attempt of curing fails, this object is moved to quarantine. The action is available only for objects with a known threat that can be cured except for Trojan programs and files within complex objects such as archives, mailboxes, or file containers.
Cure, delete if incurable	Instructs to restore the original state of the object before infection. If the object is incurable, or the attempt of curing fails, this object is deleted. The action is available only for objects with a known threat that can be cured except for Trojan programs and files within complex objects such as archives, mailboxes, or file containers.
Delete	Instructs to delete the object. This action is not available for boot sectors.
Move to Quarantine	Instructs to move the object to a specific folder of Quarantine. This action is not available for boot sectors.
Ignore	Instructs to skip the object without performing any action or displaying a notification. The action is available only for potentially dangerous files: adware, dialers, jokes, hacktools and riskware.

In this setting group, you can select the file scan mode of the SpIDer Guard monitor.

Mode

Description

Optimal, used by default

In this mode, SpIDer Guard scans objects only when one of the following actions is traced:

•For objects on hard drives, an attempt to execute a file, create a new file, or add a record to an existing file or boot sector.

•For objects on removable media, an attempt to access file or boot sectors in any way (write, read, execute).

It is recommended that you use this mode after a thorough scan of all hard drives by Dr.Web Scanner. With this mode activated, SpIDer Guard prevents possibility of penetration of new viruses and other malicious objects via removable media into your computer while preserving performance by omitting knowingly “clean” objects from repeated scans.

Paranoid

In this mode, SpIDer Guard scans files and boot sectors on hard or network drives and removable media at any attempt to access them (create, write, read, execute).

This mode ensures maximum protection but considerably reduces computer performance.

The settings of this group allow you to specify parameters for scanning objects on-the-fly and are always applied regardless of the selected SpIDer Guard operation mode. You can enable:

•Scan of scripts executed with Windows Script Host and PowerShell (for Windows 10, Windows 11)

By default, SpIDer Guard performs scan using heuristic analysis. If this option is disabled, SpIDer Guard will use signature analysis only.

Anti-rootkit component included in Dr.Web provides options for background scanning of the operating system for complex threats and curing of detected active infections when necessary.

If this option is enabled, Dr.Web Anti-rootkit constantly resides in memory. In contrast to the on-the-fly scanning of files by SpIDer Guard, scanning for rootkits includes checking of autorun objects, running processes and modules, Random Access Memory (RAM), MBR/VBR disks, computer BIOS system, and other system objects.

One of the key features of Dr.Web Anti-rootkit is delicate attitude towards consumption of system resources (processor time, free RAM, and others) as well as consideration of hardware capacity.

When Dr.Web Anti-rootkit detects a threat, it notifies you on the detection and neutralizes the malicious activity.