city

City

country

Country

department

Department name

floor

Floor

latitude

Latitude

longitude

Longitude

organization

Organization name

province

Province name

room

Room number

street

Street name

approve-to-group

–

Group to be set as the primary group by default for new stations in the Allow access automatically mode (mode='open').

Empty value, which means the Everyone group is assigned as the primary group.

mode

•open—allow access automatically,

•closed—always deny access,

•approval—approve access manually.

New station approval policy.

–

enabled

•yes—automatically create missing station accounts,

•no—installation is only possible by the number of already created accounts in the group the installation package for the stations of which is launched.

yes

enabled

•yes—replace,

•no—do not replace. The <agent-host-names /> parameter will be used instead.

NetBIOS name replacement mode.

host

•yes—display partially qualified DNS names (before the dot in FQDN),

•no—display fully qualified DNS names (FQDN).

Displayed name format after replacement.

enabled

•yes—store responses in the cache,

•no—do not store responses in the cache.

Mode of storing responses in the cache.

negative-ttl

–

Cache storage time (TTL) of negative responses from the DNS server in minutes.

positive-ttl

–

Cache storage time (TTL) of positive responses from the DNS server in minutes.

level

Integer from 1 to 9.

Compression level.

mode

•yes—use compression,

•no—do not use compression,

•possible—compression is allowed.

Compression mode.

queue-size

•positive integer,

•unlimited.

Maximum allowed number of update distribution sessions running at the same time on Dr.Web Server. When the limit is reached, Dr.Web Agent requests are placed into the waiting queue. The waiting queue size is unlimited.

unlimited

value

•maximum speed in KB/sec,

•unlimited.

Maximum total speed for update transmission.

unlimited

queue-size

•positive integer,

•unlimited.

Maximum allowed number of Dr.Web Agent installation sessions running at the same time on Dr.Web Server. When the limit is reached, Dr.Web Agent requests are placed into the waiting queue. The waiting queue size is unlimited.

unlimited

value

•maximum speed in KB/sec,

•unlimited.

Maximum total speed for transmitting data during Dr.Web Agent installation.

unlimited

enabled

•yes—allow synchronization,

•no—disable synchronization.

Synchronization mode.

startup-sync

Positive integer.

Number of stations without any geographical coordinates, information on which is requested when establishing a connection between Dr.Web Servers.

auth-list

•none—do not use authorization,

•any—any supported method,

•safe—any secure supported method,

•if several of the following methods are set, they must be separated by a space:

▫basic

▫digest

▫digestie

▫ntlmwb

▫ntlm

▫negotiate

Proxy server authorization type. The default is any.

enabled

•yes—use proxy server,

•no—do not use proxy server.

Mode of connection to Dr.Web Server via HTTP proxy server.

host

–

Proxy server address.

password

–

Password of the proxy server user if the proxy server requires authorization.

user

–

Name of the proxy server user if the proxy server requires authorization.

enabled

•yes—send statistics,

•no—do not send statistics.

Mode of sending statistics to the Doctor Web company.

–

id

–

MD5 of the Dr.Web Agent license key.

–

interval

Positive integer.

Interval of sending statistics in minutes.

30

multicast-group

IP address of multicast group through which Dr.Web Servers will be exchanging information.

port

Port number of the network interface to which the transport protocol is bound for transmitting information to the multicast group.

interface

IP address of the network interface to which the transport protocol is bound for transmitting information to the multicast group.

port

<port value="" />

value

The port number of the Dr.Web Server network interface used by the multicast transport protocol to transmit updates. This port is used by all multicast groups.

For multicast updates, specify any unused port different from the one specified in the Dr.Web Server transport protocol settings.

2197

ttl

<ttl value="" />

value

Time-to-live of a transferred UDP datagram. This value will be used by all multicast groups.

8

group

<group address="" />

address

IP address of the multicast group that stations will receive multicast updates from.

233.192.86.0 for IPv4

FF0E::176 for IPv6

on

<on interface="" ttl="" />

interface

IP address of the Dr.Web Server network interface that the multicast transport protocol is bound to for transmitting updates.

–

ttl

Time-to-live of a UDP datagram transferred via a specified network interface. Has a higher priority than the general <ttl value="" /> child element.

8

transfer

<transfer datagram-size="" assembly-timeout="" updates-interval="" chunks-interval="" resend-interval="" silence-interval="" accumulate-interval="" announce-send-times="" />

datagram-size

UDP datagram size (bytes)—size of UDP datagrams used by the multicast protocol in bytes.

The allowed range is 512–8192. To avoid fragmentation, it is recommended to set a value less than the MTU (Maximum Transmission Unit) of the network.

1400

assembly-timeout

File transmission time (ms.)—during the specified time a single update file is transmitted, after which Dr.Web Server starts sending the next file.

All files that could not be transferred during the multicast protocol update will be transferred during the standard update via TCP.

180000

updates-interval

Duration of multicast updates (ms.)—duration of the update process via the multicast protocol.

All files that could not be transferred during the multicast protocol update will be transferred during the standard update via TCP.

600000

chunks-interval

Package transmission interval (ms.)—interval of package transmission to a multicast group.

A low interval value may cause significant losses during the package transfer and overload the network. It is not recommended to change this parameter.

14

resend-interval

Interval between requests for retransmission (ms.)—Dr.Web Agents send requests for retransmission of lost packages with this interval.

Dr.Web Server accumulates these requests and sends out any lost blocks afterwards.

1000

silence-interval

“Silence” interval on the line (ms.)—whenever file transmission is over before the allotted time and no requests for retransmission of lost packages are received from Dr.Web Agents during the specified “silence” time interval, Dr.Web Server assumes that all Dr.Web Agents successfully received update files and initiates transmission of the next file.

10000

accumulate-interval

Retransmission request accumulation interval (ms.)—during the specified time interval, Dr.Web Server accumulates requests for retransmission of lost packages from Dr.Web Agents.

Dr.Web Agents request lost packages. Dr.Web Server accumulates these requests throughout the specified time and sends out any lost blocks afterwards.

2000

announce-send-times

Number of file transmission announcements—the number of times Dr.Web Server announces a file transmission to a multicast group before the update transmission starts.

When it is announced, a UDP datagram with file metadata is sent to the multicast group. Increasing the number of announcements can potentially improve transmission reliability, but at the same time can lead to a decreased amount of data that can be transmitted over the multicast protocol in the time allotted to it.

3

connections

Positive integer.

Maximum number of database connections with Dr.Web Server.

Do not change the default value when using the embedded database.

The use of an external database may require a higher value (see Dr.Web Server Load and Recommended Configuration Parameters). When working in an anti-virus network with a large number of client connections to Dr.Web Server, it is recommended that you consult with the Doctor Web technical support team before changing the value.

2

speedup

yes | no

Automatically perform the delayed purging of the database after its initialization, upgrade, and import (see the Administrator Manual, Database).

yes

dbfile

–

Database name.

database.sqlite

cache

SHARED | PRIVATE

Caching mode.

SHARED

cachesize

Positive integer.

Database cache size (in 1.5 KB pages).

2048

readuncommitted

on | off

Transition to the READ UNCOMMITTED transaction isolation level (access data that has been changed or deleted but not committed by another transaction).

off

precompiledcache

Positive integer.

Cache size of precompiled SQL operators (in bytes).

1048576

synchronous

•TRUE or FULL—synchronous

•FALSE or NORMAL—regular

•OFF—asynchronous

Data write mode.

FULL

checkintegrity

quick | full | no

Verify the integrity of the database image at Dr.Web Server startup.

quick

autorepair

yes | no

Automatically restore a corrupted database image at Dr.Web Server startup.

no

mmapsize

Positive integer.

Maximum number of bytes of the database file that is allowed to be mapped into the process address space at a time.

•for Unix-like OSs—10485760

•for Windows—0

wal

yes | no

Use Write-Ahead Logging.

yes

wal-max-pages

–

Maximum number of “dirty” pages at which the pages are written to disk.

1000

wal-max-seconds

–

Maximum time to delay writing pages to disk (in seconds).

30

dbname

–

Database file name.

–

host

–

PostgreSQL server host or path to a Unix domain socket.

–

port

–

PostgreSQL server port or an extension of the Unix domain socket file.

–

options

–

Command line parameters to send to the database server.

For more details, see chapter 18 at https://www.postgresql.org/docs/9.1/libpq-connect.html

–

requiressl

•1 | 0 (via the Control Center)

•y | n

•yes | no

•on | off

Allow SSL connections only.

•0

•y

•yes

•on

user

–

Database user name.

–

password

–

Database user password.

–

temp_tablespaces

–

Namespace for temporary tables.

–

default_transaction_isolation

•read uncommitted

•read committed

•repeatable read

•serializable

Transaction isolation level.

read committed

debugproto

•yes | no

•on | off

Enable debug logging of the DBMS operation.

•yes

•on

connectionstring

–

String with the Oracle SQL Connect URL or Oracle Net key-value pairs.

–

user

–

Registration name of the database user.

–

password

–

Database user password.

–

client

–

Path to the Oracle Instant Client for accessing the Oracle DB. Dr.Web Server is supplied with Oracle Instant Client of version 11. If Oracle Servers of a later version are used or if the Oracle driver contains errors, you can download a corresponding driver from the Oracle website and set the path to the driver in this field.

–

prefetch-rows

0–65535

Number of rows to be prefetched when executing a query to the database.

0—use the value = 1 (database default)

prefetch-mem

0–65535

Memory allocated for rows to be prefetched when executing a query to the database.

0—unlimited

dsn

–

ODBC data source name.

drwcs

user

–

Registration name of the database user.

drwcs

pass

–

Database user password.

drwcs

limit

Positive integer.

Reconnect to the DBMS after the specified number of transaction.

0—do not reconnect

transaction

•SERIALIZABLE—serializable

•READ_UNCOMMITTED—read uncommitted data

•READ_COMMITTED—read committed data

•REPEATABLE_READ—repeatable read

•DEFAULT—equal to ""—depends on the DBMS.

Transaction isolation level.

Some DBMS support READ_COMMITTED only.

DEFAULT

dbname

–

Database name.

drwcs

host

Either of the two.

Database server address for TCP/IP connections.

localhost

Path to the UNIX socket file when using UDS. If not set, Dr.Web Server tries to locate the file in one of the standard mysqld directories.

/var/run/mysqld/

port

Either of the two.

Port number to connect to the database via TCP/IP.

3306

UNIX socket file name when using UDS.

mysqld.sock

user

–

Registration name of the database user.

""

password

–

Database user password.

""

ssl

yes | any other string

Allow SSL connections only.

no

precompiledcache

Positive integer.

Cache size of precompiled SQL operators (in bytes).

1048576

debugproto

•yes | no

•on | off

Enable debug logging of the DBMS operation.

•no

•off

profile

•yes

•no

Log information on the Dr.Web Server script profiling. This parameter is used by technical support specialists and developers. It is not recommended to change this parameter without need.

no

stack

Log information on Dr.Web Server script execution from a call stack. This parameter is used by technical support specialists and developers. It is not recommended to change this parameter without need.

trace

Log information on Dr.Web Server script execution tracing. This parameter is used by technical support specialists and developers. It is not recommended to change this parameter without need.

discovery

Defines whether the Dr.Web Server detection service is used or not.

no, specified together with the ip attribute only.

yes, no

no

ip | unix

Defines the family of used protocols (IP or Unix socket) and specifies the interface address.

yes

–

0.0.0.0 | –

name

Specifies the Dr.Web Server name for the Dr.Web Server detection service.

no

–

drwcs

multicast

Defines whether Dr.Web Server is in a multicast group or not.

no, specified together with the ip attribute only.

yes, no

no

multicast-group

Specifies the address of the multicast group into which Dr.Web Server is included.

no, specified together with the ip attribute only.

–

•231.0.0.1

•[ff18::231.0.0.1]

port

Port to listen.

no, specified together with the ip attribute only.

–

2193

enabled

•yes—protocol is enabled,

•no—protocol is disabled.

Protocol usage mode.

no

name

•AGENT—protocol that allows interaction of Dr.Web Server with Dr.Web Agents.

•MSNAPSHV—protocol that allows interaction of Dr.Web Server with the Microsoft NAP Validator system health check component.

•INSTALL—protocol that allows interaction of Dr.Web Server with Dr.Web Agent installers.

•CLUSTER—protocol for interaction between Dr.Web Servers in a cluster system.

•SERVER—protocol that allows interaction of Dr.Web Server with other Dr.Web Servers.

Protocol name.

–

enabled

•yes—extension is enabled,

•no—extension is disabled.

Extension usage mode.

no

name

•WEBMIN—the Dr.Web Security Control Center extension for managing Dr.Web Server and the anti-virus network via the Control Center.

•FrontDoor—the Dr.Web Server FrontDoor extension that allows connection to the Dr.Web Server remote diagnostics utility.

Extension name.

–

min-count

Maximum number of remaining licenses at which the Limitation on a number of licenses in the license key notification will be sent.

3

min-percent

Maximum percentage of remaining licenses at which the Limitation on a number of licenses in the license key notification will be sent.

5

report-period

Interval at which Dr.Web Server reports on license key usage are created.

If a report on license usage is created by a child Dr.Web Server, then this report is immediately sent to the main Dr.Web Server.

Created reports are additionally sent each time Dr.Web Server is connected (including restarting), as well as when the number of issued licenses on the main Dr.Web Server changes.

1440

active-stations-period

Period for counting the number of active stations to create a report on license usage. The value 0 prescribes to include all stations in the report regardless of their activity status.

0

expiration-interval

Validity period of donated licenses—period of time for which licenses are issued from the key on this Dr.Web Server. The setting is used if the Dr.Web Server donates licenses to neighbor Dr.Web Servers.

1440

prolong-preact

Period for accepted licenses renewal—period of time until license expiration starting from which this Dr.Web Server initiates renewal of the license which is accepted from the neighbor Dr.Web Server. The setting is used if Dr.Web Server accepts licenses from neighbor Dr.Web Servers.

60

check-interval

License synchronization period—time interval for synchronizing information about licenses donated between Dr.Web Servers.

1440

count

–

Number of login attempts.

5

only-failed

•yes—count only unsuccessful authorization attempts,

•no—count both unsuccessful and successful authorization attempts.

Count only unsuccessful attempts.

yes

period

–

Time period during which authorization will be impossible.

60 seconds

from

–

Email address which will be set as the email sender.

drwcs@localhost

debug

•yes—use debug mode,

•no—do not use debug mode.

Use debug mode to get a detailed log of the SMTP session.

no

server

–

SMTP server address which is used to send emails.

127.0.0.1

user

–

Name of the SMTP server user if the SMTP server requires authorization.

–

pass

–

Password of the SMTP server user if the SMTP server requires authorization.

–

port

Positive integer.

SMTP server port which is used to send emails.

25

start_tls

•yes—use this authentication type,

•no—do not use this authentication type.

Encrypt data transfer. Switching to the secure connection is performed by using the STARTTLS command. Port 25 is used by default for the connection.

yes

auth_plain

Use plain text authentication on the mail server.

no

auth_login

Use LOGIN authentication on the mail server.

no

auth_cram_md5

Use CRAM-MD5 authentication on the mail server.

no

auth_digest_md5

Use DIGEST-MD5 authentication on the mail server.

no

auth_ntlm

Use AUTH-NTLM authentication on the mail server.

no

conn_timeout

Positive integer.

Connection time-out for the SMTP server.

180

enabled

•yes—use SSL,

•no—do not use SSL.

Mode of using SSL encryption.

no

verify_cert

•yes—check the SSL certificate,

•no—do not check the SSL certificate.

Validate the SSL certificate of the mail server.

no

ca_certs

–

Path to the root SSL certificate of Dr.Web Server.

–

enabled

yes | no

Enables monitoring of multiple events on infected stations and allows to send summary notifications to the administrator.

yes

aggregation-period

Positive integer.

Time period in seconds after sending a notification about an epidemic during which single notifications about infected stations will not be sent.

300

check-period

Time period in seconds during which a specified number of messages on infected stations must be received to send a notification about an epidemic.

3600

threshold

Number of messages on infections that must be received in a specified time period for Dr.Web Server to send a summary notification on an epidemic for all infection cases (the Epidemic in the network notification) to the administrator.

100

most-active

Number of the most frequently occurring threats which must be included in the epidemic report.

5

enabled

yes | no

Enables monitoring of multiple events of Preventive protection and allows to send summary notifications to the administrator.

yes

aggregation-period

Positive integer.

Time period in seconds after sending a summary report on Preventive protection events during which notifications about single events will not be sent.

300

check-period

Time period in seconds during which a specified number of Preventive protection events must occur to send a summary report.

3600

threshold

The number of Preventive protection events that must be received in a specified time period for Dr.Web Server to send a single summary report on these events (the Summary report of Preventive protection notification) to the administrator.

100

most-active

Number of the most frequently occurring processes that have performed a suspicious action which must be included in the Preventive protection report.

5

enabled

yes | no

Enables monitoring of multiple events of Application Control and allows to send summary notifications to the administrator.

yes

aggregation-period

Positive integer.

Time period in seconds after sending a summary report on processes blocked by Application Control during which notifications about single blockings will not be sent.

300

check-period

Time period in seconds during which a specified number of processes must be blocked to send a summary report.

3600

threshold

Number of events on processes blocked by Application Control that must be received in a specified time period for Dr.Web Server to send a single summary report on these events (the Large number of blocks by the Application Control detected notification) to the administrator.

100

most-active

Number of the most common profiles that triggered blocking and must be included in the multiple blocking notification.

5

enabled

yes | no

Enables monitoring of abnormally terminated connections with clients and allows to send corresponding notifications to the administrator.

yes

aggregation-period

Positive integer.

Time period in seconds after sending a notification on multiple terminated connections during which notifications about single terminated connections will not be sent.

300

check-period

Time period in seconds during which a specified number of connections with clients must be terminated to send the corresponding notification.

3600

single-alert-threshold

Minimum number of connections with a single address that must be terminated during the counting period to send a notification about a single abnormally terminated connection (the Connection terminated abnormally notification).

10

summary-alert-threshold

Minimum number of connections that must be terminated during the counting period to send a summary notification about multiple abnormally terminated connections (the Large number of abnormally terminated connections detected notification).

1000

min-session-duration

If the duration of a terminated connection with a client is less than the specified value, then, when a specified number of connections is reached, a notification about single terminated connections (the Connection terminated abnormally notification) will be sent regardless of the counting period. The connection must not be terminated later by longer connections, and the notification about multiple abnormally terminated connections must not be sent (the Large number of abnormally terminated connections detected notification).

300

server-header

yes | no

Allows to not show the string with server details (Dr.Web Server version, OS version, libraries used), which makes it more difficult to find known vulnerabilities.

Corresponds to the Return detailed header flag in the web server configuration.

no

lower-case-uri

yes | no

Converts all URIs in requests to the web server to lowercase.

Corresponds to the Convert URI to lowercase flag in the web server configuration.

no

hacker-misleading

yes | no

When enabled, returns fake passwd, hosts, etc. in response to requests for such files as /etc/passwd, /etc/hosts, etc. (anticipating the presence of a Path/Directory Traversal class vulnerability).

There is no corresponding option in the current web server configuration.

yes