Signature detections
|
cure-file <Path>
|
Cure the file with the detected threat signature.
Actions (such as deleting, curing the content, replacing it, and additional system actions) are defined by the signature detected in the file. File location, its activity in the system, etc. are considered when curing by deleting. Additional actions such as pending delete, cleaning up startup items, blocking path till restart, etc. are performed if necessary.
If the file is clean when invoking the command, nothing happens.
Example:
cure-file C:\Windows\System32\malware.exe
|
|
ark-disinfect --imagepath <Path> / --sha256 <Value>
|
Neutralize the active object with a specified parameter.
If Path is specified, the file at the specified location will be deleted. The corresponding processes will also be stopped, if it is an executable file.
If a SHA256 value is specified, files among active processes will be searched for it. If any files are found, they will be deleted. The corresponding processes will also be stopped.
Example:
ark-disinfect --sha256 "71b969b079beba0db952399b918cdb6781aa5b5a1c3295129df92a0dd0fa457f"
|
|
File system
|
fs-move <Source> <Destination>
|
Move or rename the file or directory
If Destination is an existing directory, Source will be moved to Destination. Otherwise Source is renamed to Destination.
Example:
|
fs-remove <Path>
|
Delete the file or directory with the specified path.
All remaining links between the object and other element in the system will be specified at the end to the report.
Example:
|
fs-reset-acl [-r] <Path>
|
Set parent ACL for the file or directory.
If the -r option is specified, ACL is set recursively for each file and subdirectory.
If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.
Example:
fs-reset-acl -r c:\test1\test2
|
|
fs-clear-ads <Path>
|
Delete all ADS of the file or directory.
Example:
fs-clear-ads C:\windows\explorer.exe
|
|
Registry
|
reg-remove <SID> <Key path> [<Value>]
|
Delete value or key. SID is a profile specified in the registry.
All remaining links between the object and other element in the system will be specified at the end to the report.
Examples:
reg-remove HKLM SOFTWARE\Test
reg-remove HKLM SOFTWARE\Test Value
|
|
reg-set-value [-f] <SID> <Key path> <Value name> <Type> <Value data>
|
Set value for the specified key. SID is a profile specified in the registry.
If the -f option is specified, parent keys are created (if they do not exist) and the key is overwritten with the new type.
•REG_SZ, REG_EXPAND_SZ type values are specified in string format. •REG_BINARY, REG_MULTI_SZ type values are specified in binary format. •REG_DWORD, REG_QWORD type values are specified in numeric format. Examples:
reg-set-value -f HKLM SOFTWARE\Test TestSZ REG_SZ "Test"
reg-set-value -f HKLM SOFTWARE\Test TestBINARY REG_BINARY "5300530044005000530052005600"
reg-set-value -f HKLM SOFTWARE\Test TestDWORD REG_DWORD 0x1
|
|
fs-reset-acl [-r] <Key path>
|
Set parent ACL for the key.
If the -r option is specified, ACL is reset recursively for each subkey.
If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.
Example:
reg-reset-acl -r HKLM SOFTWARE\Test
|
|
Processes
|
proc-execute <Path> [<Arguments>]
|
Start the process with the specified arguments.
Example:
proc-execute c:\Windows\System32\win32calc.exe
|
|
proc-kill --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>
|
Terminate the specified process.
Example:
proc-kill --imagename win32calc.exe
|
|
proc-suspend --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>
|
Freeze the specified process.
Example:
proc-suspend --imagename win32calc.exe
|
|
Services
|
svc-start <Name>
|
Start the service with the specified name.
Example:
|
svc-stop <Name>
|
Stop the service with the specified name.
Example:
|
svc-delete <Name>
|
Delete the service with the specified name.
Information about remaining references (service-related files) is added to the end of the report.
Example:
|
svc-control <Name> <Control code>
|
Send the control code to the service with the specified name.
Example:
svc-control TestService 3
|
|
Scheduled tasks
|
task-run <Path>
|
Start the task with the specified name.
Example:
task-run \Microsoft\Windows\TestTask
|
|
task-delete <Path>
|
Delete the task with the specified name.
Information about unprocessed references from the object to files is added to the end of the report.
Example:
task-delete \Microsoft\Windows\TestTask
|
|
Layered service providers
|
lsp-delete <GUID>
|
Delete registered providers with the GUID specified in the registry.
Example:
lsp-delete {f9eab0c0-26d4-11d0-bbbf-00aa006c34e4}
|
|
Namespace service providers
|
nsp-delete <GUID>
|
Delete registered providers with the GUID specified in the registry.
Example:
nsp-delete {6642243a-3ba8-4aa6-baa5-2e0bd71fdd83}
|
|
WMI providers
|
wmi-delete <Namespace> <Class name> <Class ID> <Value>
|
Delete WMI object.
Example:
wmi-delete ROOT\subscription CommandLineEventConsumer {266c72e5-62e8-11d1-ad89-00c04fd8fdff} CommandLineTemplate
|
|
HOSTS file
|
hosts-clear <Path> <String> [<Strings>]
|
Comment out ("#" + line) the specified strings from the HOSTS file. Numbering starts with 1.
Example:
hosts-clear c:\Windows\System32\drivers\etc\hosts 44 45 46
|
|
hosts-default <Path>
|
Restore the standard HOSTS file for the system.
Example:
hosts-default c:\Windows\System32\drivers\etc\hosts
|
|
hosts-cure <Path>
|
Check all entries in eth HOSTS file and comment out those that contain malicious IP addresses. The command also adds the entry # cured by Dr.Web.
Example:
hosts-cure c:\Windows\System32\drivers\etc\hosts
|
|
Browser extensions and configuration
|
chromium-remove-ext <Browser> <SID> <Profile> <Extension ID>
|
Remove the browser extension for the specified profile.
Examples:
chromium-remove-ext Chrome S-1-5-21-120241661-1916511805-682617159-1001 default geadmilgigoffmcnlfdlpihockonlopf
chromium-remove-ext Opera S-1-5-21-120241661-1916511805-682617159-1001 "" geadmilgigoffmcnlfdlpihockonlopf
|
|
firefox-remove-ext <Browser> <SID> <Profile> <Extension ID>
|
Remove the browser extension for the specified profile.
Example:
firefox-remove-ext Firefox S-1-5-21-120241661-1916511805-682617159-1001 default default-theme@mozilla.org
|
|
chromium-clear <Browser> <SID> <Profile> <URL>
|
Remove the URL from browser configuration for the specified profile.
Example:
chromium-clear Chrome S-1-5-21-120241661-1916511805-682617159-1001 Default malware.com
|
|
firefox-clear <Browser> <SID> <Profile> <URL>
|
Remove the URL from browser configuration for the specified profile.
Example:
firefox-clear Firefox S-1-5-21-120241661-1916511805-682617159-1001 default malware.com
|
|
Dr.Web
|
drweb-remove
|
Remove Dr.Web software and/or all of its traces from the system.
Example:
|