1.Detection and neutralization of threats. Scanning for malicious programs of any kind (various viruses, including those that infect mail files and boot records, trojans, email worms and so on) and unwanted software (adware, joke programs and dialers). For details on threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•a signature analysis—a scan method allowing to detect known threats registered in virus databases;
•a heuristic analysis—a set of scan methods allowing to detect threats that are not known yet;
•cloud-based threat detection technologies using the Dr.Web Cloud service that collects up-to-date information about recent threats detected by various Dr.Web anti-virus products.
|
The heuristic analyzer may cause false-positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you quarantine such files and send them for analysis to the Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats. |
When scanning the file system on the user request, it is possible to perform either a full scan of all the file system objects available to the user, or a custom scan of the specified objects only (individual directories or files that meet the specified criteria). In addition, it is possible to perform an individual check of boot records of volumes and executable files which started the processes that are currently active in the system. In the latter case, when a threat is detected, a malicious executable file is not only neutralized, but all processes started by it are forcibly terminated. On systems that implement a mandatory model of file access with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in a permanent threat registry, except those threats that were detected in autonomous copy mode.
The Dr.Web Ctl command-line tool bundled with Dr.Web Gateway Security Suite allows to scan file systems of remote network hosts providing remote terminal access via SSH or Telnet for threats.
|
Remote scanning can be used only for detection of malicious or suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, firmware can be updated on routers and other “smart” devices; computing machines require connecting to them (including in remote terminal mode) and performing corresponding operations in their file system (deleting or moving files, and so on), or running anti-virus software installed on them. |
2.Analyzing data transmitted to the internet. Not only user requests are monitored (that is, attempts to connect to a web server and upload a file to it), but also data sent by web servers in response to user requests. To analyze requests and return data, Dr.Web Gateway Security Suite connects via ICAP as an external filter to a proxy server processing HTTP connections of local network users. Furthermore, using the SpIDer Gate component, it is possible to utilize barrier functions that prevent receiving and sending infected files by a public web server of the organization (this option is available only on GNU/Linux). To restrict access to unwanted websites, the product uses an automatically updated database of web resources separated into categories, which is bundled with Dr.Web Gateway Security Suite, and white and black lists created by a system administrator manually. The product also makes a request to the Dr.Web Cloud service to check whether an internet resource is marked as malicious by other Dr.Web products.
3.Reliable isolation of infected or suspicious objects detected within the server file system in a special storage known as quarantine to prevent any harm to the system. When quarantined, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on user demand.
Threats detected by the Dr.Web ICAPD component in HTTP messages are not quarantined on an internet gateway. Instead their load and transfer to a recipient are blocked, and the user is informed of it with a custom HTML page containing a message about blocking.
4.Automatic update of the scanning engine, virus databases, databases of web resource categories to maintain the high level of protection against malware.
5.Collection of statistics on scans and threat events. Logging detected threats. Sending of notifications of detected threats via SNMP to external monitoring systems and a centralized protection server if Dr.Web Gateway Security Suite operates in centralized protection mode, as well as to the Dr.Web Cloud service.
6.Operation in centralized protection mode to implement single security policies adopted within some network which comprises this server. It can be a corporate network, a private network (VPN) or a network of a service provider (for example, an internet service provider).