Functional analysis criteria

When setting up functional analysis, it is recommended to set the functional analysis criteria to achieve the maximum level of protection.

The Functional analysis criteria section contains information on the categories that you can set to protect your profile. You can choose a category based on the level of protection you need. The default value for all parameters is Disabled.

Categories of functional analysis criteria

Application launch

Enables control of running processes for the list of trusted applications.

Prevent running of applications signed by certificates known in Doctor Web as certificates for adware.
This criterion blocks the launch of applications that may distribute advertising.

Prevent running of applications signed by certificates known in Doctor Web as gray.
This criterion blocks the launch of applications signed by "gray" certificates. These certificates are often used to sign insecure applications.

Prevent running of applications signed by certificates known in Doctor Web as certificates for hacktools.
This criterion blocks the launch of applications that threaten the system security. It is recommended to set this criterion.

Prevent running of applications signed by fake/malformed certificates.
This criterion blocks the launch of malicious applications signed with invalid certificates (corrupted or attached to a binary file in order to prevent the threat from being detected—for example, legitimate software certificates). It can also help when trying to modify a legitimate file or infect it with a virus. It is recommended to set this criterion.

Prevent running of applications signed by certificates known in Doctor Web as certificates for malware.
This criterion blocks the launch of applications signed with compromised certificates. It is recommended to set this criterion.

Prevent running of applications signed by revoked certificates.
This criterion blocks the launch of applications signed with stolen or compromised certificates. This criterion allows to prevent the launch of potentially malicious applications. It is recommended to set this criterion.

Prevent running of applications signed by self-signed certificates.
This criterion blocks unlicensed software that may be malicious. Malicious programs can add a fake signature with a well-known name (for example, Microsoft) to their binary files and/or add a root certificate to the system so that this file is shown and recognized by the OS as legally signed.

Prevent running of unsigned applications.
This criterion blocks the launch of potentially malicious and untrusted applications of unknown origin.

Prevent running of Sysinternals utilities.
This criterion blocks the launch of Sysinternals utilities which are often used to compromise the system.

info

If the Allow running of system applications and Microsoft company applications flag is set in the Permissions section, Sysinternals utilities will run even if they are not allowed to run.

Prevent running of applications from NTFS (ADS) alternate threads.
Applications saved in NTFS alternate data streams (ADS) are often malicious. It is recommended to set this criterion.

Prevent running of applications from network and shares.
Launching applications from the network and shared resources is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent running of applications from removable media.
Launching applications from removable media is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent running of applications from temporary folders.
Launching applications from temporary folders is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent running of Windows/Microsoft Store applications (only for Windows 8 and later).
This criterion blocks the launch of applications downloaded from Windows/Microsoft Store.

Prevent running of applications with double/non-typical extension.
This criterion blocks the launch of suspicious files with an atypical extension (for example, *.jpg.exe).

Prevent running of bash shells and WSL applications (only for Windows 10 and later).
This criterion blocks the launch of bash command shells and WSL applications.

Exceptions:

Allow running of system applications and Microsoft company applications.

Allow running of known/trusted by Doctor Web applications.
If enabled, applications signed with a trusted certificate are allowed to launch.

info

If this option is enabled, applications signed with a trusted certificate are allowed to run. This feature allows you not to create an excessive number of rules and base on the data already checked by Dr.Web. Trust in this case is based on cryptography, an extensive and constantly updated database.

Modules load and execution

Enables control of loaded modules. In this category, you can specify two operating modes:

Control all modules load and execution. A global option that enables control for the modules in the list of allowed objects.
This mode is resource-intensive. It is recommended to use it only if you need enhanced protection.

Control modules load and execution in host applications.
This mode is less resource-intensive. This mode controls the operation of modules only in processes that can be used to compromise the system or in cases when malware can get into a system by masquerading as a system or trusted file. Use this mode if there is no need for enhanced protection. In this mode you can:

Prevent loading and execution of modules signed by certificates known in Doctor Web as certificates for adware.
This criterion blocks the launch of applications that may distribute advertising.

Prevent loading and execution of modules signed by certificates known in Doctor Web as gray.
This criterion blocks the launch of applications signed by "gray" certificates. These certificates are often used to sign insecure applications.

Prevent loading and execution of modules signed by certificates known in Doctor Web as certificates for hacktools.
This criterion blocks the launch of applications that threaten the system security. It is recommended to set this criterion.

Prevent loading and execution of modules signed by fake/malformed certificates.
This criterion blocks the launch of malicious applications signed with invalid certificates (corrupted or attached to a binary file in order to prevent the threat from being detected—for example, legitimate software certificates). It can also help when trying to modify a legitimate file or infect it with a virus. It is recommended to set this criterion.

Prevent loading and execution of modules signed by certificates known in Doctor Web as certificates for malware.
This criterion blocks the launch of applications signed with compromised certificates. It is recommended to set this criterion.

Prevent loading and execution of modules signed by revoked certificates.
This criterion blocks the launch of applications signed with stolen or compromised certificates. This criterion allows to prevent the launch of potentially malicious applications. It is recommended to set this criterion.

Prevent loading and execution of modules signed by self-signed certificates.
This criterion blocks unlicensed software that may be malicious. Malicious programs can add a fake signature with a well-known name (for example, Microsoft) to their binary files and/or add a root certificate to the system so that this file is shown and recognized by the OS as legally signed.

Prevent running of unsigned modules.
This criterion blocks the launch of potentially malicious and untrusted applications of unknown origin.

Prevent loading and execution of modules from NTFS (ADS) alternate threads.
Applications saved in NTFS alternate data streams (ADS) are often malicious. It is recommended to set this criterion.

Prevent loading and execution of modules from network and shares.
Launching applications from the network and shared resources is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading and execution of modules from removable media.
Launching applications from removable media is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading and execution of modules from temporary folders.
Launching applications from temporary folders is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading and execution of modules with double/non-typical extension.
Blocks the launch of suspicious applications with a non-standard extension (for example, *.jpg.exe).

Exceptions:

Allow loading and execution system and Microsoft modules.

Allow loading and execution modules known/trusted by Doctor Web.
If enabled, modules signed with a trusted certificate are allowed to launch.

Launch of script interpreters

Enables control of launched script interpreters for the list of trusted applications.

Prevent running of CMD/BAT scripts.
This criterion blocks the launch of cmd and bat files.

Prevent running of HTA scripts.
This criterion blocks the launch of HTA scripts. Such scripts can process malicious scenarios and download executable files which can be harmful to your computer.

Prevent running of VBScript/JavaScript.
This criterion blocks the launch of applications written in the VBScript and JavaScript languages. Such applications can process malicious scripts and download executable files which can be harmful to your computer.

Prevent running of PowerShell scripts.
This criterion blocks the launch of scripts written in the PowerShell language. Such scripts can process malicious scripts and download executable files to your computer.

Prevent running of REG scripts.
This criterion blocks the launch of registry scripts (files with the reg extension). These files can be used to add or change values in the registry.

Prevent running of scripts from NTFS (ADS) alternate threads.
Applications saved in NTFS alternate data streams (ADS) are often malicious. It is recommended to set this criterion.

Prevent running of scripts from network and shares.
Launching applications from the network and shared resources is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent running of scripts from removable media.
Launching applications from removable media is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent running of scripts from temporary folders.
Launching applications from temporary folders is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Exceptions:

Allow running of system scripts and Microsoft company scripts.

Allow running of known/trusted by Doctor Web scripts.
If enabled, scripts signed with a trusted certificate are allowed to run.

Drivers loading

Control driver loading for the list of trusted applications.

Prevent loading of drivers signed by certificates known in Doctor Web as certificates for adware.
This criterion blocks the launch of applications that may distribute advertising.

Prevent loading of drivers signed by certificates known in Doctor Web as gray.
This criterion blocks the launch of applications signed by "gray" certificates. These certificates are often used to sign insecure applications.

Prevent loading of drivers signed by certificates known in Doctor Web as certificates for hacktools.
This criterion blocks the launch of applications that threaten the system security. It is recommended to set this criterion.

Prevent loading of drivers signed by fake/malformed certificates.
This criterion blocks the launch of malicious applications signed with invalid certificates (corrupted or attached to a binary file in order to prevent the threat from being detected—for example, legitimate software certificates). It can also help when trying to modify a legitimate file or infect it with a virus. It is recommended to set this criterion.

Prevent loading of drivers signed by certificates known in Doctor Web as certificates for malware.
This criterion blocks the launch of applications signed with compromised certificates. It is recommended to set this criterion.

Prevent loading of drivers signed by revoked certificates.
This criterion blocks the launch of applications signed with stolen or compromised certificates. This criterion allows to prevent the launch of potentially malicious applications. It is recommended to set this criterion.

Prevent loading of drivers signed by self-signed certificates.
This criterion blocks unlicensed software that may be malicious. Malicious programs can add a fake signature with a well-known name (for example, Microsoft) to their binary files and/or add a root certificate to the system so that this file is shown and recognized by the OS as legally signed.

Prevent loading of unsigned drivers.
This criterion blocks the launch of potentially malicious and untrusted applications of unknown origin.

Prevent loading of drivers from NTFS (ADS) alternate threads.
Applications saved in NTFS alternate data streams (ADS) are often malicious. It is recommended to set this criterion.

Prevent loading of drivers from network and shares.
Launching applications from the network and shared resources is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading of drivers from removable media.
Launching applications from removable media is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading of drivers from temporary folders.
Launching applications from temporary folders is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent loading of vulnerable driver versions of popular software.
This criterion blocks the loading of vulnerable driver versions of popular software. Legitimate software drivers, such as VirtualBox, Asus, etc. can be used to get into the system via RDP. When this option is enabled, unsafe versions of these drivers will be blocked from loading. This policy cannot be blocked by exceptions.

info

The Prevent loading vulnerable driver versions of popular software criterion cannot be overridden by exclusions.

Exceptions:

Allow loading of system drivers and Microsoft company drivers.

Allow loading of known/trusted by Doctor Web drivers.
If enabled, applications signed with a trusted certificate are allowed to launch.

MSI packages installation

Enables control of the launched MSI packages for the list of trusted applications.

Prevent installation of packages signed by certificates known in Doctor Web as certificates for adware.
This criterion blocks the launch of applications that may distribute advertising.

Prevent installation of packages signed by certificates known in Doctor Web as gray.
This criterion blocks the launch of applications signed by "gray" certificates. These certificates are often used to sign insecure applications.

Prevent installation of packages signed by certificates known in Doctor Web as certificates for hacktools.
This criterion blocks the launch of applications that threaten the system security. It is recommended to set this criterion.

Prevent installation of packages signed by fake/malformed certificates.
This criterion blocks the launch of malicious applications signed with invalid certificates (corrupted or attached to a binary file in order to prevent the threat from being detected—for example, legitimate software certificates). It can also help when trying to modify a legitimate file or infect it with a virus. It is recommended to set this criterion.

Prevent installation of packages signed by certificates known in Doctor Web as certificates for malware.
This criterion blocks the launch of applications signed with compromised certificates. It is recommended to set this criterion.

Prevent installation of packages signed by revoked certificates.
This criterion blocks the launch of applications signed with stolen or compromised certificates. This criterion allows to prevent the launch of potentially malicious applications. It is recommended to set this criterion.

Prevent installation of packages signed by self-signed certificates.
This criterion blocks unlicensed software that may be malicious. Malicious programs can add a fake signature with a well-known name (for example, Microsoft) to their binary files and/or add a root certificate to the system so that this file is shown and recognized by the OS as legally signed.

Prevent installation of unsigned packages.
This criterion blocks the launch of potentially malicious and untrusted applications of unknown origin.

Prevent installation of packages from NTFS (ADS) alternate threads.
Applications saved in NTFS alternate data streams (ADS) are often malicious. It is recommended to set this criterion.

Prevent installation of packages from network and shares.
Launching applications from the network and shared resources is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent installation of packages from removable media.
Launching applications from removable media is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Prevent installation of packages from temporary folders.
Launching applications from temporary folders is an atypical scenario that can threaten the system security. It is recommended to set this criterion.

Exceptions:

Allow installation of system packages and Microsoft company packages.

Allow installation of known/trusted by Doctor Web packages.
If enabled, applications signed with a trusted certificate are allowed to launch.

Executable files integrity

Enables control of executable files integrity. These criteria are only used in systems that run in a trusted execution environment. In such systems, all processes are controlled by an administrator (for example, ATMs and other systems). If this criteria is used in other systems, its behavior is unpredictable. In this case, the risk of station failure is high.

Prevent creating new executable files.
This criterion blocks attempts to create new executable files on disk.

Prevent modification of executable files.
This criterion blocks attempts to modify existing executable files on disk.

Exceptions:

Allow creation and modification of executable files by signed system applications and Microsoft company applications.

Allow creation and modification of executable files by signed known/trusted by Doctor Web applications.
If enabled, applications signed with a trusted certificate are allowed to launch.

info

Criteria of the Executable files integrity category cannot be overridden by the allow/deny rules.