Appendix B. Neutralizing Computer Threats

In this appendix

Detection Methods

Threat-related Actions

All Doctor Web anti-virus solutions use several malicious software detection methods simultaneously, and that allows them to perform thorough scans for suspicious files and control software behavior.

Detection Methods

Signature Analysis

Signature analysis is the first stage of detection procedure and is used to check file code segments for the presence of known virus signatures. A signature is a finite continuous sequence of bytes necessary and sufficient to identify a specific virus. To reduce the size of the signature dictionary, Dr.Web anti-virus solutions use signature checksums instead of complete signature sequences. Checksums uniquely identify signatures, which preserves correctness of virus detection and neutralization. The Dr.Web virus databases are composed so that some entries can be used to detect not just specific viruses, but whole classes of threats.

Origins Tracing™

On completion of signature analysis, Dr.Web anti-virus solutions use the unique Origins Tracing™ method to detect new and modified viruses which use the known infection mechanisms. Thus, Dr.Web users are protected against such threats as the notorious Trojan.Encoder.18 ransomware (also known as gpcode). In addition to detection of new and modified viruses, the Origins Tracing™ mechanism allows to considerably reduce the number of false positives of the heuristics analyzer. Objects detected using the Origins Tracing™ algorithm are indicated with the .Origin extension added to their names.

Execution Emulation

The technology of program code emulation is used for detection of polymorphic and encrypted viruses when a search by checksums cannot be applied directly, or is very difficult to be performed (due to the impossibility of building secure signatures). The method implies simulating the execution of an analyzed code by an emulator—a programming model of the processor and runtime environment. An emulator operates with protected memory area (emulation buffer), in which execution of the analyzed program is modelled instruction by instruction. However, none of these instructions is actually executed by the CPU. When the emulator receives a file infected with a polymorphic virus, the result of the emulation is a decrypted virus code, which is then easily determined by searching against signature checksums.

Heuristic Analysis

The detection method used by the heuristics analyzer is based on certain knowledge (heuristics) about certain features (attributes) than might be typical for the virus code itself, and vice versa, that are extremely rare in viruses. Each attribute has a weight coefficient which determines the level of its severity and reliability. The weight coefficient can be positive if the corresponding attribute is indicative of a malicious code or negative if the attribute is uncharacteristic of a computer threat. Depending on the sum weight of a file, the heuristics analyzer calculates the probability of unknown virus infection. If the threshold is exceeded, the heuristic analyzer generates the conclusion that the analyzed object is probably infected with an unknown virus.

The heuristics analyzer also uses the FLY-CODE™ technology, which is a versatile algorithm to extract packed files. The technology allows making heuristic assumptions about the presence of malicious objects in files compressed not only by packers that Dr.Web is aware of, but by also new, previously unexplored programs. While scanning packed objects, Dr.Web Anti-virus solutions also use structural entropy analysis. The technology detects threats by the characteristic way in which pieces of code are arranged inside a file; thus, one virus database entry allows identification of a substantial portion of threats packed with the same polymorphous packer.

As any system of hypothesis testing under uncertainty, the heuristics analyzer may commit type I or type II errors (omit viruses or raise false positives). Thus, objects detected by the heuristics analyzer are treated as “suspicious”.

While performing any of the scans previously mentioned, Dr.Web anti-virus solutions use the most recent information about known malicious software. As soon as experts of Doctor Web anti-virus laboratory discover new threats, an update for virus signatures, behavior characteristics and attributes is issued. In some cases updates can be issued several times per hour. Therefore even if a brand new malicious program passes through the Dr.Web resident guards and penetrates the system, then after an update the malicious program is detected in the list of processes and neutralized.

Cloud-based Threat Detection Technologies

Cloud-based detection methods allow to scan any object (file, application, browser extension, etc.) by its hash value. Hash is a unique sequence of numbers and letters of a given length. When analyzed by a hash value, objects are scanned using the existing database and then classified into categories: clean, suspicious, malicious, etc.

This technology optimizes the time of file scanning and saves device resources. The decision on whether the object is malicious is made almost instantly, because it is not the object that is analyzed, but its unique hash value. If there is no connection to the Dr.Web Cloud servers, the files are scanned locally, and the cloud scan resumes when the connection is restored.

Thus, the Dr.Web Cloud service collects information from numerous users and quickly updates data on previously unknown threats increasing the effectiveness of device protection.


To avert computer threats, Dr.Web products use a number of actions that can be applied to malicious objects. A user can leave the default settings, configure which actions to apply automatically, or choose actions manually upon every detection. Below, you can see a list of available actions:

Ignore (Ignore)—instructs to skip the detected threat without performing any other action.

Report (Report)—instructs to inform on the detected threat without performing any other action.

Cure (Cure)—instructs to cure the infected object by removing only malicious content from its body. Note that this action cannot be applied to all types of threats.

Quarantine (Quarantine)—instructs to move the detected threat to a special directory and isolate it from the rest of the system.

Delete (Delete)—instructs to remove the infected object permanently.

If threat is detected in a file located in a container (an archive, email message, and so on), its removal is replaced with moving of a container to quarantine.

The actions can be applied to email messages when Dr.Web MailD scans them:

Pass (Pass)—instructs to skip the detected threat without performing any other action.

Reject (Reject)—instructs to reject an email message and prevents its delivery to a recipient.

Tempfail (Tempfail)—instead of delivery of an email message, instructs to return its sender or recipient an error message.

Discard (Discard)—accept an email message and do not deliver it to a recipient.

Repack (Repack)—before delivery of an email message to a recipient, the action instructs to modify it by moving threats to quarantine, which represents an archive attached to the email message, and to add a notification on threat detection to the email message.

Add Header (Add header)—add header to an email message on delivery to a recipient.

Change Header (Change header)—change the value of the indicated header during the delivery to a recipient.