disinfect <ID>

Cure the system object with the specified internal identifier. It is usually applied to objects of the Non-signature detections type. The identifier is assigned to the object while generating the report.

Example:

disinfect-reg <ID>

Cure the registry startup item with the specified internal identifier. It is applied to objects of the Scheduled tasks type. The identifier is assigned to the object while generating the report.

Example:

Signature detections

cure-file <Path>

Cure the file with the detected threat signature.

Actions (such as deleting, curing the content, replacing it, and additional system actions) are defined by the signature detected in the file. File location, its activity in the system, etc. are considered when curing by deleting. Additional actions such as pending delete, cleaning up startup items, blocking path till restart, etc. are performed if necessary.

If the file is clean when invoking the command, nothing happens.

Example:

ark-disinfect --imagepath <Path> / --sha256 <Value>

Neutralize the active object with a specified parameter.

If Path is specified, the file at the specified location will be deleted. The corresponding processes will also be stopped, if it is an executable file.

If a SHA256 value is specified, files among active processes will be searched for it. If any files are found, they will be deleted. The corresponding processes will also be stopped.

Example:

File system

fs-move <Source> <Destination>

Move or rename the file or directory

If Destination is an existing directory, Source will be moved to Destination. Otherwise Source is renamed to Destination.

Example:

fs-remove <Path>

Delete the file or directory with the specified path.

All remaining links between the object and other element in the system will be specified at the end to the report.

Example:

fs-reset-acl [-r] <Path>

Set parent ACL for the file or directory.

If the -r option is specified, ACL is set recursively for each file and subdirectory.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

fs-clear-ads <Path>

Delete all ADS of the file or directory.

Example:

Registry

reg-remove <SID> <Key path> [<Value>]

Delete value or key. SID is a profile specified in the registry.

All remaining links between the object and other element in the system will be specified at the end to the report.

Examples:

reg-set-value [-f] <SID> <Key path> <Value name> <Type> <Value data>

Set value for the specified key. SID is a profile specified in the registry.

If the -f option is specified, parent keys are created (if they do not exist) and the key is overwritten with the new type.

•REG_SZ, REG_EXPAND_SZ type values are specified in string format.

•REG_BINARY, REG_MULTI_SZ type values are specified in binary format.

•REG_DWORD, REG_QWORD type values are specified in numeric format.

Examples:

fs-reset-acl [-r] <Key path>

Set parent ACL for the key.

If the -r option is specified, ACL is reset recursively for each subkey.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

Processes

proc-execute <Path> [<Arguments>]

Start the process with the specified arguments.

Example:

proc-kill --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Terminate the specified process.

Example:

proc-suspend --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Freeze the specified process.

Example:

Services

svc-start <Name>

Start the service with the specified name.

Example:

svc-stop <Name>

Stop the service with the specified name.

Example:

svc-delete <Name>

Delete the service with the specified name.

Information about remaining references (service-related files) is added to the end of the report.

Example:

svc-control <Name> <Control code>

Send the control code to the service with the specified name.

Example:

Scheduled tasks

task-run <Path>

Start the task with the specified name.

Example:

task-delete <Path>

Delete the task with the specified name.

Information about unprocessed references from the object to files is added to the end of the report.

Example:

Layered service providers

lsp-delete <GUID>

Delete registered providers with the GUID specified in the registry.

Example:

Namespace service providers

nsp-delete <GUID>

Delete registered providers with the GUID specified in the registry.

Example:

WMI providers

wmi-delete <Namespace> <Class name> <Class ID> <Value>

Delete WMI object.

Example:

HOSTS file

hosts-clear <Path> <String> [<Strings>]

Comment out ("#" + line) the specified strings from the HOSTS file. Numbering starts with 1.

Example:

hosts-default <Path>

Restore the standard HOSTS file for the system.

Example:

hosts-cure <Path>

Check all entries in eth HOSTS file and comment out those that contain malicious IP addresses. The command also adds the entry # cured by Dr.Web.

Example:

Browser extensions and configuration

chromium-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

Examples:

firefox-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

Example:

chromium-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

Example:

firefox-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

Example:

Dr.Web

drweb-remove

Remove Dr.Web software and/or all of its traces from the system.

Example: