Call Format

1. Format of the utility call

The call format for the command-line tool which manages Dr.Web for Linux operation is as follows:

$ drweb-ctl [<general options> | <command> [<argument>] [<command options>]]

where:

<general options> – options that can be applied on startup when the command is not specified or can be applied for any command. Not mandatory for startup.

<command> – command to be performed by Dr.Web for Linux (for example, start scanning, output the list of quarantined objects).

<argument> – command argument. Depends on the specified command. Can be missing for certain commands.

<command options> – options managing command operation. Depends on the command. Can be missing for certain commands.

2. General options

The following general options are available:

Option

Description

-h,
--help

Show summary help information and exit.

For information on a certain command, enter the following:

drweb-ctl -h <command>  or drweb-ctl <command> -h

-v,
--version

Show information on the module version and exit

-d,
--debug

Instructs to show debug information upon execution of the specified command.

Has no effect if a command is not specified. To invoke a command, enter the following:

drweb-ctl -d <command>

3. Commands

Commands to manage Dr.Web for Linux can be divided into the following groups:

Anti-virus scanning commands

Commands to manage updates and operation in Central protection mode

Configuration management commands

Commands to manage detected threats and quarantine

Information commands

3.1. Anti-virus scanning commands

The following commands to manage anti-virus scanning are available:

Command

Description

scan <path>

Function

Start checking the specified file or directory with Scanner.

Arguments

<path> – Path to the file or directory which is selected to be scanned.

This argument can be missing if the --stdin or --stdin0 option is specified.

To specify several files that satisfy a certain criterion, use the find utility (see the examples) and the --stdin or --stdin0 options.

Options

-a [--Autonomous] – Start a separate instance of Dr.Web for Linux engine and Scanner and terminate their operation after the scanning task completes. Note that threats detected during autonomous scanning are not displayed in the common threat list that is output by threats command (see below).

--stdin – Get list of paths to scan from the standard input string (stdin).

Paths in the list must be separated by the new line character ('\n').

--stdin0 – Get list of paths to scan from the standard input string (stdin).

Paths in the list must be separated by the NUL character ('\0').

Note that templates are not allowed when specifying paths for either of these options.

Recommended usage of the --stdin and --stdin0 options is processing a path list (generated by an external utility, for example, find) in the scan command (see examples).

--Report <BRIEF|DEBUG> – Specify the type of scanning results report.

Possible values:

BRIEF – brief report.

DEBUG – detailed report.

Default value: BRIEF

--ScanTimeout <number> – Set the timeout value for scanning one file, in ms.

If the value is set to 0, time to scan a file is not limited.

Default value: 0

--PackerMaxLevel <number> – Set the maximum nesting level when scanning packed objects.

If the value is set to 0, the nested objects are not checked.

Default value: 8

--ArchiveMaxLevel <number> – Set the maximum level of nesting when scanning archives (zip, rar, etc.).

If the value is set to 0, the nested objects are not checked.

Default value: 8

--MailMaxLevel <number> – Set the maximum level of nesting when scanning email messages (pst, tbb, etc.).

If the value is set to 0, the nested objects are not checked.

Default value: 8

--ContainerMaxLevel <number> – Set the maximum level of nesting when scanning containers of other types (HTML and others).

If the value is set to 0, the nested objects are not checked.

Default values: 8

--MaxCompressionRatio <ratio> – Set the maximum compression ratio for scanned objects.

The ratio must be at least equal to 2.

Default value: 3000

--HeuristicAnalysis <On|Off> – Enable or disable heuristics analysis.

Default value: On

--OnKnownVirus <action>Action applied to a threat detected using signature analysis.

Allowed values: REPORT, CURE, QUARANTINE, DELETE.

Default value: REPORT

--OnIncurable <action> – Action applied on failure to cure a detected threat or if a threat is incurable.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnSuspicious <action> – Action applied to a threat detected using heuristics analysis.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnAdware <action> – Action applied to adware.

Allowed values: REPORT, QUARANTINE, DELETE.

Default values: REPORT

--OnDialers <action> – Action applied to a dialer.

Allowed values: REPORT, QUARANTINE, DELETE.

Default values: REPORT

--OnJokes <action> – Action applied to a joke program.

Allowed values: REPORT, QUARANTINE, DELETE.

Default values: REPORT

--OnRiskware <action> – Action applied to a potentially dangerous program (riskware).

Allowed values: REPORT, QUARANTINE, DELETE.

Default values: REPORT

--OnHacktools <action> – Action applied to a hacktool.

Allowed values: REPORT, QUARANTINE, DELETE.

Default values: REPORT

bootscan

<disk drive> | ALL

Function

Start checking boot records on the specified disks with Scanner. Both MBR and VBR records are scanned.

Arguments

<disk drive> – Path to a block file of the disk device boot record of which is to be scanned.

If you specify ALL, all boot records of all available disks are scanned.

Mandatory argument.

Options

-a [--Autonomous] – Start a separate instance of the Dr.Web for Linux engine and Scanner and terminate their operation after the scanning task completes. Note that threats detected during autonomous scanning are not displayed in the common threat list that is output by threats command (see below).

--Report <BRIEF|DEBUG> – Specify the type of scanning results report.

Possible values:

BRIEF – brief report.

DEBUG – detailed report.

Default value: BRIEF

--ScanTimeout <number> – Specify timeout to scan one file, in ms.

If the value is set to 0, time to scan one file is not limited.

Default value: 0

--HeuristicAnalysis <On|Off> – Enable or disable heuristics analysis.

Default value: On

--Cure <Yes|No> – Enable or disable attempts to cure detected threats.

If the value is set to No, only notification is output.

Default value: No

--ShellTrace – Enable output of additional debug information when scanning a boot record.

procscan

Function

Start checking executable files containing code of currently running processes with Scanner.

Arguments

No.

Options

-a [--Autonomous] – start a separate instance of the Dr.Web for Linux engine and Scanner and terminate their operation after the scanning task completes. Note that threats detected during autonomous scanning are not displayed in the common threat list that is output by threats command (see below).

--Report <BRIEF|DEBUG> – specify the type of scanning report.

Allowed values:

BRIEF – brief report.

DEBUG – detailed report.

Default value: BRIEF

--ScanTimeout <number> – Specify timeout to scan one file, in ms.

If the value is set to 0, time to scan one file is not limited.

Default value: 0

--HeuristicAnalysis <On|Off> – Enable or disable heuristics analysis.

Default value: On

--PackerMaxLevel <number> – Set the maximum nesting level when scanning packed objects.

If the value is set to 0, the nested objects are not checked .

Default value: 8

--OnKnownVirus <action>Action applied to a threat detected using signature analysis.

Allowed values: REPORT, CURE, QUARANTINE, DELETE.

Default value: REPORT

--OnIncurable <action> – Action applied on failure to cure a detected threat or if a threat is incurable.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnSuspicious <action> – Action applied to a threat detected using heuristics analysis.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnAdware <action> – Action applied to adware.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnDialers <action> – Action applied to dialers.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnJokes <action> – Action applied to joke programs.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnRiskware <action> – Action applied to potentially dangerous programs (riskware).

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

--OnHacktools <action> – Action applied to hacktools.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

Note that if a threat is detected in an executable file, Dr.Web for Linux terminates all processes started from the file.

cloudscan

Function

Use the Dr.Web Cloud service to check a specified file or directory.

Arguments

<path> – Path to the file or directory to be scanned.

Options

--Report <BRIEF|DEBUG> – specify the scanning report type.

Allowed values:

BRIEF – brief report.

DEBUG – detailed report.

Default value: BRIEF

--ScanTimeout <number> – Specify the timeout to scan one file, in ms.

If the value is set to 0, time to scan one file is not limited.

Default value: 0

--HeuristicAnalysis <On|Off> – Enable or disable heuristics analysis.

Default value: On

--PackerMaxLevel <number> – Set the maximum nesting level for scanning packed objects.

If the value is set to 0, nested objects are not checked.

Default value: 8

--ArchiveMaxLevel <number> – Set the maximum nesting level when scanning archives (zip, rar, etc.).

If the value is set to 0, the nested objects are not checked.

Default value: 8

--MailMaxLevel <number> – Set the maximum nesting level when scanning email messages (pst, tbb, etc.).

If the value is set to 0, the nested objects are not checked.

Default value: 8

--ContainerMaxLevel <number> – Set the maximum nesting level when scanning containers of other types (HTML and others).

If the value is set to 0, the nested objects are not checked.

Default values: 8

--MaxCompressionRatio <ratio> – Set the maximum compression ratio for scanned objects.

The ratio must be at least equal to 2.

Default value: 3000

--Cure <Yes|No> – Enable or disable attempts to cure detected threats.

If the value is set to No, only notifications iabout detection of a threat are displayed.

Default value: No

--ShellTrace – Enable output of additional debug information when scanning a file.

3.2. Commands to manage updates and operation in Central protection mode

The following commands for managing updates and operation in Central protection mode are available:

Command

Description

update

Function

Instruct Updater to download and install updates to virus databases and components from Doctor Web update servers or terminate an updating process if running.

The command has no effect if Dr.Web for Linux is connected to the central protection server.

Arguments

No.

Options

--Stop – Terminate the currently performed updating process.

esconnect

<server>[:port]

Function

Connect Dr.Web for Linux to the specified central protection server (for example, Dr.Web Enterprise Server). For details on Anti-virus operation modes, refer to Operation modes.

Arguments

<server> – IP address or network name of the host on which the central protection server is operating. The argument is mandatory.

<port> – Name of the port used by the central protection server. The argument is optional. Specify the argument only if the central protection server uses a non-standard port.

Options

--Key <path> – Path to the public key file of the central protection server to which Dr.Web for Linux is connected.

--Login <ID> – Login (workstation identifier) used for connection to the central protection server.

--Password <password> – Password for connection to the central protection server.

--Group <ID> – identifier of the group to which the workstation is added on connection.

--Rate <ID> – identifier of the tariff group applied to a workstation when it is included in one of the central protection server groups (can be specified only together with the --Group option).

--Compress <On|Off> – enables (On) or disables (Off) force compression of transmitted data. When not specified, usage of compression is determined by server.

--Encrypt <On|Off> – enables (On) or disables (Off) force encryption of transmitted data. When not specified, usage of encryption is determined by server.

--Newbie – connect as a «newbie» (get a new account on the server).

--WithoutKey – allows connection to the server without using the public key.

--WrongKey – allows connection to the server even if the specified public key is wrong.

The --Key and --WithoutKey options are mutually exclusive. One of these options must be specified in the command.

Note that this command requires drweb-ctl to be started with superuser privileges.

esdisconnect

Function

Disconnect Dr.Web for Linux from the central protection server and switch its operation to autonomous mode.

The command has no effect if Dr.Web for Linux is in autonomous mode.

Arguments

No.

Options

No.

Note that this command requires drweb-ctl to be started with superuser privileges.

3.3. Configuration management commands

The following commands to manage configuration are available:

Command

Description

cfset

<section>.<parameter> <value>

Function

Change the active value of the specified parameter in the current configuration.

Note that an equal sign is not allowed.

Arguments

<section> – Name of the configuration file where the parameter resides. The argument is mandatory.

<parameter> – Name of the parameter. The argument is mandatory.

<value> – New value that is to be assigned to the parameter. The argument is mandatory.

The following format is used to specify the parameter value <section>.<parameter> <value>

For description of the configuration file, refer to the man documentation drweb.ini(5).

Options

-a [--Add] – Do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can have several values, specified as a list).

-e [--Erase] – Do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset] – Reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, the current parameter value (or the list of ones if several values are specified) are substituted with the specified value.

For the -r option, a special syntax to invoke the cfset command is used:

cfset <section>.* -r

In this case, all parameters of the specified section are reset to defaults.

Note that this command requires drweb-ctl to be started with superuser privileges.

cfshow

[<section>
[.<parameter>]

Function

Output parameters of the current configuration.

The command to output parameters is specified as follows <section>.<parameter> = <value>. Sections and parameters of non-installed components are not output.

Arguments

<section> – Name of the configuration file section parameters of which are to be output. The argument is optional. If not specified, parameters of all configuration file sections are output.

<parameters> – Name of the output parameter. The argument is optional. If not specified, all parameters of the section are output. Otherwise, only this parameter is output. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are output.

Options

--Uncut – Output all configuration parameters (not only those used with the currently installed set of components). If the option is not specified, only parameters used for configuration of the installed components are output.

--Ini – Output parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

3.4. Commands to manage detected threats and quarantine

The following commands for managing threats and quarantine are available:

Command

Description

threats

[<command> <object>]

Function

Apply the specified action to detected threats by their identifiers. Type of the action is configured with the specified command option.

If the action is not specified, output information on detected but not neutralized threats.

Arguments

No.

Options

-f [--Follow] – Wait for new messages on new threats and output the messages once they are received (interrupt waiting with ^C).

--Cure <threat list> – Attempt to cure the listed threats (threat identifiers are specified as a comma-separated list).

--Quarantine <threat list> – Move the listed threats to quarantine (threat identifiers are specified as a comma-separated list)

--Delete <threat list> – Delete the listed threats (threat identifiers are specified as a comma-separated list).

--Ignore <threat list> – Ignore the listed threats (threat identifiers are specified as a comma-separated list).

If it is required to apply the command to all detected threats, specify all instead of <threat list>.

For example, the following command

drweb-ctl threats --Quarantine all

moves all detected malicious objects to quarantine.

quarantine

[<command> <object>]

Function

Apply an action to the specified object in quarantine.

If not specified, the following information is output: object identifier in quarantine and brief information on source files.

Arguments

No.

Options

--Delete <object> – Delete the specified object from quarantine.

Note that objects are deleted from quarantine permanently.

--Cure <object> – Try to cure the specified object in quarantine.

Note that even if the object is successfully cured, it will stay in quarantine. To retrieve the cured object from quarantine, use the --Restore command.

--Restore <object> – Restore the specified object from quarantine to the original location.

Note that this operation may require that drweb-ctl is started with superuser privileges. The object can be restored even if it contains a threat.

As an <object> specify the object identifier in quarantine. To apply the command to all quarantined objects, specify all as an <object>.

For example, the following command

drweb-ctl quarantine --Restore all

restores all objects from quarantine.

3.5. Information Commands

The following information commands are available:

Command

Description

appinfo

Function

Output information on active Dr.Web for Linux modules.

Arguments

No.

Options

-f [--Follow] – Wait for new messages on module status change and output them once such a message is received (interrupt waiting with ^C).

baseinfo

Function

Output information on the current version of the Dr.Web for Linux engine and status of virus databases.

Arguments

No.

Options

No.

license

Function

Output information on the active license.

Arguments

No.

Options

No.