disinfect <ID>

Cure the system object that has the specified internal identifier. It is usually applied to objects of the Non-signature detections type. The identifier is assigned to the object while generating a report.

Example:

disinfect-reg <ID>

Cure the registry startup item that has the specified internal identifier. It is applied to objects of the Scheduled tasks type. The identifier is assigned to the object while generating the report.

Example:

ark-disinfect --imagepath <Path> / --sha256 <Value>

Neutralize the active object that has the specified parameter.

If Path is specified, the file at the specified location will be deleted. The corresponding processes will also be stopped, if it is an executable file.

If you specify a SHA256 value, the system will search for files with that hash among active processes. If any files are found, they will be deleted. The corresponding processes will also be stopped.

Example:

Signature detections

cure-file <Path>

Cure the file that has the detected threat signature.

Actions (such as deleting, curing the content, replacing it, and additional system actions) are defined by the signature detected in the file. File location, its activity in the system, etc. are considered when curing by deleting. Additional actions such as pending delete, cleaning up startup items, blocking path till restart, etc. are performed if necessary.

If the file is clean when invoking the command, nothing happens.

Example:

File system

fs-move <Source> <Destination>

Move or rename the file or directory.

If Destination is an existing directory, Source will be moved to Destination. Otherwise Source is renamed to Destination.

Example:

fs-remove <Path>

Delete the file or directory with the specified path.

All remaining links between the object and other elements in the system will be specified at the end of the report.

Example:

fs-reset-acl [-r] <Path>

Set parent ACL for the file or directory.

If the -r option is specified, ACL is set recursively for each file and subdirectory.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

fs-clear-ads <Path>

Delete all ADS of the file or directory.

Example:

Registry

reg-remove <SID> <Key path> [<Value>]

Delete a value or key. <SID> is a profile specified in the registry.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

All remaining links between the object and other elements in the system will be specified at the end of the report.

Examples:

reg-set-value [-f] <SID> <Key path> <Value name> <Type> <Value data>

Set a value for the specified key. <SID> is a profile specified in the registry.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

If the -f option is specified, parent keys are created (if they do not exist) and the key is overwritten with the new type.

•To specify REG_SZ or REG_EXPAND_SZ type values, the string format is used.

•To specify REG_BINARY or REG_MULTI_SZ type values, the binary format is used.

•To specify REG_DWORD or REG_QWORD type values, the numeric format is used.

Examples:

fs-reset-acl [-r] <Key path>

Set parent ACL for the key.

If the -r option is specified, ACL is reset recursively for each subkey.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

Processes

proc-dump [-f] --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Generate a short or full (-f) memory dump for a process that meets given criteria. A dump is created in the temporary directory and then stored in the artefacts during report generation.

Examples:

proc-execute [-w] <Path> [<Arguments>]

Start the process at the specified path with the specified arguments. In the path, system variables can be used. Adding the -w flag makes the command wait until the process is done.

Example:

Examples with system variables:

proc-kill --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Terminate the specified process.

Example:

proc-suspend --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Freeze the specified process.

Example:

Services

svc-start <Name>

Start the service with the specified name.

Example:

svc-stop <Name>

Stop the service with the specified name.

Example:

svc-delete <Name>

Delete the service with the specified name.

Information about remaining references (service-related files) is added to the end of the report.

Example:

svc-control <Name> <Control code>

Send the control code to the service with the specified name.

Example:

Scheduled tasks

task-run <Path>

Start the task with the specified name.

Example:

task-delete <Path>

Delete the task with the specified name.

Information about unprocessed references from the object to files is added to the end of the report.

Example:

Layered service providers

lsp-delete <GUID>

Delete registered providers with the specified GUID.

Example:

Namespace service providers

nsp-delete <GUID>

Delete registered providers with the specified GUID.

Example:

WMI providers

wmi-delete-eventconsumer <Namespace> <Class> <Name>

Delete a WMI EventConsumer object from a specified namespace.

Example:

wmi-query <Namespace> <Query> <Values>

Run a WMI query and write returned values to a log.

Example:

HOSTS file

hosts-clear <Path> <String> [<Strings>]

Comment out ("#" + line) the specified strings from the HOSTS file. Numbering starts with 1.

Example:

hosts-default <Path>

Restore the standard HOSTS file for the system.

Example:

hosts-cure <Path>

Проверить все записи файла HOSTS и закомментировать все записи, IP-адреса в которых определятся как вредоносные. При этом в файл добавляется строка # cured by Dr.Web.

Example:

Browser extensions and configuration

chromium-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Examples:

firefox-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

chromium-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

firefox-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

Dr.Web

drweb-remove

Remove Dr.Web software and/or all of its traces from the system.

Example:

Users

user-delete <User name>

Delete a specified user in a workstation.

System

reboot [-f]

Reboot the system with a 1-minute countdown timer in a system dialog box. The command will stop the generation of a report.

shutdown [-f]

Shut down the system with a 1-minute countdown timer in a system dialog box. The command will stop the generation of a report.