1.Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers, and so on). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•signature analysis, which allows detection of known threats;
•heuristic analysis, which allows detection of threats that are not present in virus databases;
•cloud-based threat detection technologies, using the Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.
|
The heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats. |
When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or custom scan of the specified objects only (separate directories or files that meet the specified criteria). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in the permanently stored threats registry, except those threats that were detected in the autonomous copy mode.
The Dr.Web Ctl command-line tool included in Dr.Web for UNIX Internet Gateways, allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH or Telnet.
|
The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, and so on), or via running an anti-virus software installed on them. |
2.Analyzing data transmitted to the internet. Not only user requests are monitored (i.e. attempts to connect to the web server and to transmit any file to it), but also data sent in response to users’ request. To analyze requests and send data, Dr.Web for UNIX Internet Gateways connects via ICAP protocol as an external filter to the proxy server, processing HTTP connections of the local network users. Moreover, using the SpIDer Gate component, it is possible to perform barrier functions, which prevents receiving and transmitting infected files by the public server of the organization (this option is available only for GNU/Linux). To restrict access to unwanted websites, the product uses automatically updated databases of web resource categories, which are supplied together with Dr.Web for UNIX Internet Gateways; and white and black lists created by the system administrator manually. The product also refers to the Dr.Web Cloud service to check for the information whether the internet resource is marked as malicious by other Dr.Web products.
3.Reliable isolation of infected or suspicious objects. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.
The threats detected by the Dr.Web ICAPD component in the HTTP protocol messages are not moved to Quarantine on the internet gateway. Instead their load and transfer to a recipient are blocked, and the user is informed by a special HTML page with a message about blocking.
4.Automatic update of the scan engine, virus databases, databases of web resource categories for the maintenance of the high level of protection against malware.
5.Collection of statistics on virus events; logging threat detection events. Sending of notifications on detected threats over SNMP to external monitoring systems and to the centralized protection server if Dr.Web for UNIX Internet Gateways operates in the centralized protection mode, as well as to Dr.Web Cloud.
6.Operation in the centralized protection mode (when connected to the centralized protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, an internet service provider).