Command-Line Call Format

1. Command Format for Calling the Command-Line Utility to Manage the Product

The call format for the command-line tool which manages Dr.Web for UNIX Mail Servers operation is as follows:

$ drweb-ctl [<general options> | <command> [<argument>] [<command options>]]

where:

<general options>—options that can be applied on startup when the command is not specified or can be applied for any command. Not mandatory for startup;

<command>—command to be performed by Dr.Web for UNIX Mail Servers (for example, start scanning, output the list of quarantined objects, and other commands);

<argument>—command argument. Depends on the specified command. Some commands do not accept arguments;

<command options>—options for managing the operation of the specified command. Depend on the command. Some commands do not accept options.

2. General Options

The following general options are available:

Option

Description

-h, --help

Show general help information and exit. To display the help information on any command, use the following call:

$ drweb-ctl <command> -h

-v, --version

Show the module version and exit

-d, --debug

Show debug information when running the specified command. It cannot be run if a command is not specified. Use the following call:

$ drweb-ctl <command> -d

3. Commands

Commands to manage Dr.Web for UNIX Mail Servers can be separated into the following groups:

anti-virus scanning commands;

commands to manage updates and operation in a centralized protection mode;

configuration management commands;

commands to manage detected threats and quarantine;

information commands.

To get documentation on this component from the command line, run the following command: man 1 drweb-ctl.

3.1. Anti-virus Scanning Commands

The following commands to manage anti-virus scanning are available:

Command

Description

scan <path>

Purpose: initiate scanning the specified file or directory by the file scanning component Dr.Web File Checker.

Arguments

<path>—path (can be relative) to the file or directory to be scanned.

This argument may be omitted if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see Usage Examples) and the --stdin or --stdin0 option.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--stdin—get the list of paths to be scanned from the standard input stream (stdin). Paths in the list must be separated with the new line character (\n).

--stdin0—get the list of paths to scan from the standard input string (stdin). Paths in the list must be separated by the zero character NUL (\0).

When using --stdin and --stdin0 options, the paths on the list should not contain patterns or regular expressions for a search. We recomment that you use the --stdin and --stdin0 options to process a paths list generated by an external utility, for example, find in the scan command (see Usage Examples).

--Exclude <path>—an excluded path. The path can be relative and contain a file mask (with the following wildcards: ? and *, as well as character classes [ ], [! ], and [^ ]).

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

If the threat is detected in a file inside a container (an archive, an email message, and so on), the container is quarantined (Quarantine) and not deleted (Delete).

--FollowSymlinks—resolve symlinks automatically

bootscan
<device> | ALL

Purpose: start scanning boot records on specified disks using the file scan component Dr.Web File Checker. Both MBR and VBR records are scanned.

Arguments

<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ShellTrace—display additional debug information when scanning a boot record

procscan

Purpose: initiate scanning of executables containing the code of currently running system processes with the Dr.Web File Checker component. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.

Arguments: none.

Options

-a [--Autonomous]—run an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed with threats command (see below), and information on them will not be sent to a centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

If a threat is detected in an executable file, Dr.Web for UNIX Mail Servers terminates all processes started by the file.

netscan [<path>]

Purpose: start distributed scanning of the specified file or directory using the Dr.Web Network Checker agent for network data scanning. If there are no configured connections to other hosts that are running Dr.Web for UNIX, then the scanning will be done only using the locally available scan engine (similar to the scan command).

Arguments

<path>—path to the file or directory to be scanned.

If this argument is omitted, data from the stdin input stream will be scanned.

Options

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

flowscan <path>

Purpose: start scanning the specified file or directory via Dr.Web File Checker using the “flow” method.

For on-demand scanning of files and directories, it is recommended that you use the scan command.

Arguments

<path>—path to the file or directory to be scanned.

Options

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using the signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object using the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

If the threat is detected in a file inside a container (an archive, an email message, and so on), the container is quarantined (Quarantine) and not deleted (Delete).

rawscan <path>

Purpose: start “raw” scanning of the specified file or directory with Dr.Web Scanning Engine directly, without the use of Dr.Web File Checker.

Note that threats detected by “raw” scanning are not included in the list of detected threats that can be displayed with the threats command (see below).

 

It is recommended that you use this command only to debug the functioning of Dr.Web Scanning Engine. Note that the command outputs the “cured” status, if at least one threat is neutralized of those threats that are detected in a file (not all threats might be neutralized). Thus, it is not recommended to use this command if you need thorough file scanning. In the latter case it is recommended to use the scanscan command.

Arguments

<path>—path to the file or directory to be scanned.

Options

--ScanEngine <path>—path to the UNIX socket of Dr.Web Scanning Engine. If not specified, an autonomous instance of the scan engine will be started (which will be shut down once the scanning is complete).

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ListCleanItem—output the list of clean (non-infected) files found inside the container that was scanned.

--ShellTrace—enable display of additional debug information when scanning a file.

--Output <path to file>—duplicate the output of the command to the specified file

remotescan
<host> <path>

Purpose: start scanning the specified file or directory at the specified remote host having connected to it using SSH or Telnet.

Note that threats detected by remote scanning are not neutralized and also are not added to the list of detected threats displayed by the threats command (see below).

 

This function can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers, set-top boxes, and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done by connecting to them (as an option, using a remote terminal mode) and by performing corresponding operations in their file system (file removal or moving, and so on), or by running an anti-virus software installed on them.

Arguments

<host>—IP address or a domain name of the remote host to be connected to for scanning.

<path>—path to the file or directory to be scanned (the path must be absolute).

Options

-m [--Method] <SSH|Telnet>—remote host connection method (protocol).

If the method is not specified, SSH is used.

-l [--Login] <name>—login (user name) used for authorization on the remote host via the selected protocol.

If a user name is not specified, an attempt is made to connect to a remote host as the user who started the command.

-i [--Identity] <path to file>—private key file used for authentication of the specified user via the selected protocol.

-p [--Port] <number>—number of the port on the remote host for connecting via the selected protocol.

Default value: default port for the selected protocol (22 for SSH, 23 for Telnet).

--ForceInteractive—use the SSH interactive session (only for SSH connections).

Optional parameter.

--TransferListenAddress <address>—address for receiving files transferred from the remote device for scanning.

Optional parameter. If not indicated, an arbitrary address is used.

--TransferListenPort <port>—port for receiving files transferred from the remote device for scanning.

Optional parameter. If not indicated, an arbitrary port is used.

--TransferExternalAddress <address>—address for the remote device to send files for scanning.

Optional parameter. If not indicated, the --TransferListenAddress option value or the outgoing address of the already established session is used.

--TransferExternalPort <port>—port to transfer files for scanning, specified for the remote device.

Optional parameter. If not indicated, an automatically determined port is used.

--Password <password>—password used for authentication of a user via the selected protocol.

Please note that the password is passed as plain text.

--Exclude <path>—path to be excluded from scanning. The path can contain a file mask with the following allowed symbols: ? and *, as well as the symbol classes [ ], [! ], [^ ]. The path (including the path with the file mask) must be absolute.

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with specialized software (UPX, PELock, PECompact, Petite, ASPack, Morphine, etc.). Such objects may include other packed objects which may also include packed objects, and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, etc.) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (.pst, .tbb, etc.) in which other files may be enclosed (and these files may also include other files, and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types of objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

If the value is set to 0, nested objects are skipped.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

Must be no less than 2.

Default value: 3000.

--MaxSizeToExtract <number>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

checkmail
<path to file>

Purpose: perform scan of an email message saved to a file for threats, signs of spam, malicious links, or non-compliance with rules of mail processing (using the email processing component Dr.Web MailD). The output stream (stdout) will contain message scanning results and the action applied to this message after scanning by the email processing component Dr.Web MailD.

Arguments

<path to file>—path to the file of the email message to be scanned. Mandatory argument.

Options

--Report <type>—specify a type of the scan report.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

Default value: BRIEF.

-r [--Rules] <list of rules>—indicate a list of rules to follow during scanning of an email message.

If the rules are not indicated, the default set of rules is applied, in particular:

threat_category in (KnownVirus, VirusModification, UnknownVirus, Adware, Dialer) : REJECT
total_spam_score gt 0.80 : REJECT
url_category in (InfectionSource, NotRecommended, CopyrightNotice) : REJECT

If Dr.Web Anti-Spam is not installed, the scanning rule for spam (the second string) will be automatically excluded from the set.

-c [--Connect] <IP>:<port>—indicate a network socket to be used as a connection address of a sender of the scanned message.

-e [--Helo] <name>—indicate an identifier of the client that sent the message (an IP address or FQDN host, as for the HELO/EHLO SMTP command).

-f [--From] <email>—email address of a sender (as for the MAIL FROM SMTP command).

If the address is not indicated, the respective address from the email message will be used.

-t [--Rcpt] <email>—email address of a recipient (as for the RCPT TO SMTP command).

If the address is not indicated, the respective address from the email message will be used.

If email processing component is not installed, calling this command will return an error.

 

mailquarantine

Purpose: Configure the auxiliary Dr.Web Mail Quarantine component which manages email message queues.

Arguments: none.

Options

--Flush —pass scheduled messages from the specified queue to the queue for immediate processing. Requires the --Queue option to be specified. Use the following call:

$ drweb-ctl mailquarantine --Queue <queue> --Flush

--Show—display the specified message queue. Requires the --Queue option to be specified. Use the following call:

$ drweb-ctl mailquarantine --Queue <queue> --Show

--Stat—display statistics on all message queues;

--CheckHealth—perform a consistency check on the message database;

--FixHealth—fix consistency errors in the message database;

-q [--Queue] <queue>—specify the message queue to be processed.

Allowed values:

SmtpFresh—messages to be scanned in the SMTP mode;

SmtpAccepted—messages scanned and accepted in the SMTP mode;

BccFresh—messages to be scanned in the BCC mode;

BccAccepted—messages scanned and accepted in the BCC mode.

-l [--Limit] <number>—set the maximum number of displayed messages from the selected queue.

-d [--Debug]—display debug information while running the specified command. Useless without specifying the command. Use the following call:

$ drweb-ctl mailquarantine <command> -d

 

3.2. Commands to manage updates and operation in the centralized protection mode

The following commands for managing updates are available, as well as commands for operation in the centralized protection mode:

Command

Description

update

Purpose: start the updating process of anti-virus components (virus databases, the scan engine, etc., depending on the distribution) from Doctor Web update servers or a local cloud using Dr.Web MeshD, terminate the updating process if it is already running, or perform rollback of the latest update to the previous versions of updated files.

The command has no effect if Dr.Web for UNIX Mail Servers is connected to the centralized protection server.

Arguments: none.

Options

--From <path>—apply updates offline from a specified directory;

--Path <path>—store files for updating offline in a specified directory; if this directory already has files, then they will be updated;

--Rollback—rollback the last update, and restore the previous version of the files that have been updated during the last update;

--Stop—terminate the running update process

esconnect
<server>[:<port>]

Purpose: connect Dr.Web for UNIX Mail Servers to the specified centralized protection server (for example, Dr.Web Enterprise Server). For details on the operation modes, refer to the Operation Modes.

Arguments

<server>—IP address or network name of the host on which the centralized protection server is operating. This argument is mandatory.

<port>—port number used by the centralized protection server. The argument is optional and should be specified only if the centralized protection server uses a non-standard port.

Options

--Certificate <path>—a file path to a certificate of the centralized protection server, the connection to which will be established.

--Login <ID>—login (workstation identifier) used for connection to the centralized protection server.

--Password <password>—password for connection to the centralized protection server.

--Group <ID>—identifier of the group to which the workstation is added on connection.

--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the centralized protection server groups (can be specified only together with the --Group option).

--Compress <On|Off>—enable (On) or disable (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.

--Encrypt <On|Off>—enable (On) or disable (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.

--Newbie—connect as a “newbie” (get a new account on the server).

This command requires drweb-ctl to be started with superuser (root) privileges. If necessary, use the su or sudo commands.

esdisconnect

Purpose: disconnect Dr.Web for UNIX Mail Servers from the centralized protection server and switch it to a standalone mode.

The command has no effect if Dr.Web for UNIX Mail Servers already operates in the standalone mode.

Arguments: none.

Options: none.

This command requires drweb-ctl to be started with superuser (root) privileges. If necessary, use the su or sudo commands.

3.3. Configuration Management Commands

The following commands to manage configuration are available:

Command

Description

cfset
<section>.<parameter> <value>

Purpose: Change the active value of the specified parameter in the current configuration of Dr.Web for UNIX Mail Servers.

Arguments

<section>—name of the configuration file section which provides the parameter. This argument is mandatory.

<parameter>—name of the parameter to be changed. This argument is mandatory.

<value>—new parameter value. This argument is mandatory.

To specify a parameter value, the format <section>.<parameter> <value> is always used, the assignment character = is not used.

Note that if you want to indicate several parameter values, you need to repeatedly call the cfset command, as many times as the number of parameter values you want to add. To add a new value to the list of parameter values, you need to use the -a option (see below). You cannot specify the string <parameter> <value 1>, <value 2> as an argument, because the string "<value 1>, <value 2>" will be considered one value of the <parameter>.

For description of the configuration file, refer to the section Appendix D. Dr.Web for UNIX Mail Servers Configuration File, as well as the documentation displayed upon running man 5 drweb.ini.

Options

-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can accept a list of values). This option should also be used for adding new parameter groups with a tag.

-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, then the current parameter value (including a list of values) are substituted with the specified value.

If you use the -r option for sections that contain individualized parameter settings for the Dr.Web ClamD component connection points, the parameter value in the individualized settings section will be changed to the value of its corresponding “parent” parameter in the component settings section.

If you need to add a new connection point <point> for Dr.Web ClamD, use the command

cfset ClamD.Endpoint.<point> -a, for example:
cfset ClamD.Endpoint.point1 -a

This command requires drweb-ctl to be started with superuser privileges. If necessary, use the su or sudo commands.

cfshow
[<section>[.<parameter>]]

Purpose: display parameters of the current configuration of Dr.Web for UNIX Mail Servers.

The command to display parameters is specified as follows: <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed by default.

Arguments

<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed.

<parameter>—name of the displayed parameter. Optional argument. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed.

Options

--Uncut—display all configuration parameters, and not only those used with the currently installed set of components. If the option is not specified, only parameters used by the installed components are displayed.

--Changed—display only those parameters whose values differ from the default ones.

--Ini—display parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

--Value—output only the value of the specified parameter. The <parameter> argument is mandatory in this case

reload

Purpose: reload the configuration of Dr.Web for UNIX Mail Servers.

For that purpose, the Dr.Web ConfigD configuration management daemon performs the following actions:

rereads the configuration and notifies all Dr.Web for UNIX Mail Servers components about its changes;

reopens the Dr.Web for UNIX Mail Servers log;

starts the components that use virus databases (including the scanning engine);

attempts to start those components that were shut down abnormally.

Arguments: none.

Options: none

3.4. Commands to Manage Detected Threats and Quarantine

The following commands for managing threats and quarantine are available:

Command

Description

threats
[<action> <object>]

Purpose: apply the specified action to earlier detected threats according to their identifiers. A type of the action is specified by the command option.

If the action is not specified, displays information about detected but not neutralized threats. The information about threats is displayed according the format, specified using the non-mandatory --Format option. If the --Format option is not specified, the following information is displayed for each threat:

an identifier assigned to the threat (its ordinal number);

the full path to the infected file;

information about the threat (its name and type according to the classification of the Doctor Web company);

information about the file: its size, owner, time of last modification;

history of operations applied to an infected file: detection, applied actions, etc.

Arguments: none.

Options

--Format "<format string>"—output information about threats in the specified format. The description of the format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Directory <list of directories>—output only threats detected in files in directories from <list of directories>.

If this option is specified together with any option provided below, it is ignored.

--Cure <threat list>—attempt to cure the listed threats (threat identifiers are comma-separated);

--Quarantine <threat list>quarantine the listed threats (threat identifiers are comma-separated);

--Delete <threat list>—delete the listed threats (threat identifiers are comma-separated);

--Ignore <threat list>—ignore the listed threats (threat identifiers are comma-separated).

If you need to apply the action to all detected threats, specify All> instead of <threat list. For example, the command

$ drweb-ctl threats --Quarantine All

quarantines all detected malicious objects

quarantine
[<action> <object>]

Purpose: apply an action to the specified object in quarantine.

If the action is not specified, information about quarantined objects and their identifiers together with brief information about original files put in quarantine is displayed. Information about isolated objects is output according to a format specified with the optional --Format parameter. If the --Format parameter is not specified, the following information is output for every isolated (quarantined) object:

an identifier assigned to a quarantined object;

the original path to the file that was moved to quarantine;

the date of putting the file in quarantine;

information about the file: its size, owner, time of last modification;

information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

Arguments: none.

Options

-a [--Autonomous]—start a separate instance of the Dr.Web File Checker file scanning component to perform the specified quarantine action and terminate it upon completion.

This option can be used together with any options mentioned below.

--Format "<format string>"—display information about quarantined objects in the specified format. The description of format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Discovery [<list of directories>,] searches for quarantine directories in the specified list of directories and add them to the consolidated quarantine upon detecting a threat. If the <list of directories> is not specified, search for quarantine directories in the common locations of the file system (volume mounting points and user home directories).

This option can be specified not only with the -a (--Autonomous) option (see above), but also with any options/actions listed below. Moreover, if the quarantine command is run as an autonomous copy, that is, with the -a (--Autonomous) option but without the --Discovery option, then it has the same effect as calling:

quarantine --Autonomous --Discovery

--Delete <object>—delete the specified quarantined object.

Note that quarantined objects are deleted permanently—this action is irreversible.

--Cure <object>—try to cure the specified object in the quarantine.

Note that even if the object was successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore option.

--Restore <object>—restore the specified object from the quarantine to its original location.

Note that this command may require drweb-ctl to be run with superuser privileges. You can restore the file from quarantine even if it is infected.

--TargetPath <path>—restore an object from quarantine to the specified location: either as a file with the the specified name (if <path> is a path to a file), or to the specified directory (if <path> is a path to a directory). A path can be absolute or relative (referring to a current directory).

Note that this option can only be used in combination with the --Restore option.

As an <object>, specify the object identifier in quarantine. To apply the action to all quarantined objects, specify All> instead of <object. For example, the command

$ drweb-ctl quarantine --Restore All --TargetPath test

restores all quarantined objects and puts them in the test subdirectory located in the current directory from which the drweb-ctl command was run.

Note that if the --Restore All variant is indicated together with the additional option --TargetPath, it must set a path to a directory, not to a file

Formatted output for threats and quarantine commands

The output format is defined using the format string specified as the optional argument --Format. The format string must be put in quotes. The format string can include common symbols (displayed “as is”), as well as special markers which will be replaced with corresponding information at the output. The following markers are available:

1.Common for threats and quarantine commands:

Marker

Description

%{n}

New line

%{t}

Tabulation

%{threat_name}

The name of detected threat (virus) according to Doctor Web classification

%{threat_type}

Threat type (“known virus”, and so on) according to Doctor Web classification

%{size}

Original file size

%{origin}

The full name of the original file with path

%{path}

Synonym of %{origin}

%{ctime}

Modification date/time of the original file in "%Y-%b-%d %H:%M:%S" format (for example, "2018-Jul-20 15:58:01")

%{timestamp}

Similar to %{ctime}, but in the UNIX timestamp format

%{owner}

The original file owner

%{rowner}

The remote owner of the original file (if not applicable or value is unknown it is replaced with ?)

2.Specific for threats command:

Marker

Description

%{hid}

The identifier of the threat record in the history of events associated with the threat

%{tid}

Threat identifier

%{htime}

Date/time of the event related to the threat

%{app}

The identifier of the Dr.Web for UNIX Mail Servers component which processed a threat

%{event}

The latest event related to a threat:

FOUND—a threat was detected;

Cure—a threat was cured;

Quarantine—a file with a threat was quarantined;

Delete—a file with threat was deleted;

Ignore—a threat was ignored;

RECAPTURED—a threat was detected by another component

%{err}

Error message text (if no error has occurred, the text is replaced with an empty string)

3.Specific for quarantine command:

Marker

Description

%{qid}

The identifier of the quarantined object

%{qtime}

Date/time of moving the object to quarantine

%{curetime}

Date/time of curing attempt of the quarantined object (if not applicable or the value is unknown, it is replaced with ?)

%{cureres}

The result of the quarantined object curing attempt:

cured—the threat was cured;

not cured—the threat was not cured or no curing attempts were made

Example

$ drweb-ctl quarantine --Format "{%{n} %{origin}: %{threat_name} - %{qtime}%{n}}"

This command displays quarantine contents as records of the following type:

{
<path to file>: <threat name> - <date of putting in quarantine>
}

3.5. Information Commands

The following information commands are available:

Command

Description

appinfo

Purpose: output information about active Dr.Web for UNIX Mail Servers components.

The following information is output for each running component:

internally used name;

GNU/Linux process identifier (PID);

state (running, stopped, and so on);

error code, if the component has been terminated owing to an error;

additional information (optional);

For the configuration daemon (drweb-configd), the following is output as additional information:

the list of installed components—Installed;

the list of components which must be run by the configuration daemon—Should run.

Arguments: none.

Options

-f [--Follow]—wait for new messages on module status change and display them once such a message is received (CTRL+C interrupts waiting)

baseinfo

Purpose: display the current version of the scan engine and status of virus databases.

The following information is displayed:

version of the scan engine;

release date and time of the virus databases being used;

the number of available virus records;

the time of the last successful update of the virus databases and of the scan engine;

the time of the next scheduled automatic update.

Arguments: none.

Options

-l [--List]—display the full list of downloaded files of virus databases and number of virus records in each file

certificate

Purpose: display contents of the trusted Dr.Web certificate used by Dr.Web for UNIX Mail Servers. To save the certificate to the <cert_name>.pem file, you can use the following command:

$ drweb-ctl certificate > <cert_name>.pem

Arguments: none.

Options: none

events

Purpose: view Dr.Web for UNIX Mail Servers events. Apart from that, this command allows you to manage the events (marking as read, deleting).

Arguments: none.

Options

--Report <type>—specify an event report type.

Allowed values:

BRIEF—brief report;

DEBUG—detailed report;

JSON—serialized report in the JSON format.

-f [--Follow]—wait for new events and display them upon their occurrence (CTRL+C interrupts the standby).

-s [--Since] <date, time>—show the events that occurred before the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—show the events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-t [--Types] <type list>—show the events of the specified types only (types are comma-separated).

The following event types are available:

Mail—indicates that a threat has been detected in an email;

UnexpectedAppTermination—unexpected shutdown of a component.

To view all types of events, use All.

--ShowSeen—display already read events as well;

--Show <list of events>—display the listed events (event identifiers are comma-separated);

--Delete <list of events>—remove the listed events (event identifiers are comma-separated);

--MarkAsSeen <list of events>—mark the listed events as read (event identifiers are comma-separated).

If you want to mark as “read” or delete all events, specify All> instead of <events list. For example, the command

$ drweb-ctl events --MarkAsSeen All

will mark all existing events as “read”

report <type>

Purpose: create a report on Dr.Web for UNIX Mail Servers events in the HTML format (the page body is output to the specified file).

Arguments

<type>—event type that required reporting (indicate one type). See possible values in the --Types option description of the events command above. A mandatory argument.

Options

-o [--Output] <path to file>—save the report to the specified file. The option is mandatory.

-s [--Since] <date, time>—report events that occurred no earlier than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—report events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

--TemplateDir <path to directory>—a path to the directory that contains HTML report templates.

Options -s, -u, and --TemplateDir are not mandatory. For example, the command:

$ drweb-ctl report Mail -o report.html

generates a report on all existing email threat detection events, the port being based on the default template, and saves the result to the report.html file in the current directory

idpass <identifier>

Purpose: display the password generated by the email scanning component Dr.Web MailD for an email message with the indicated identifier and used for the protection of an enclosed archive with threats removed from the email message (i.e. if RepackPassword parameter was set in the component settings to HMAC(<secret>)).

Arguments

<identifier>—an identifier of an email message.

Options

-s [--Secret] <secret>—a secret word used for the generation of the archive password.

If a secret word is not indicated when the command is called, the current secret word <secret> is used. It is indicated in the Dr.Web MailD settings. And if the RepackPassword parameter is not available or set to a value different from HMAC(<secret>), the command will return an error

license

Purpose: display the information about the currently active license, get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company website).

If no options are specified, then the following information is output (if you are using a license for the standalone mode):

a license number,

date and time when the license expires.

If you are using a license provided to you by a centralized protection server (for the use of the product in the centralized protection mode or mobile mode), the corresponding message is output.

Arguments: none.

Options

--GetDemo—request a demo key that is valid for one month and receive this key, if the conditions for the provision of a demo period have not been violated.

 

--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in the centralized protection mode, when the license is managed by a centralized protection server).

If the serial number is not the one provided for a demo period, you must first register this number at the company website.

--Proxy http://<username>:<password>@<server address>:<port>— get a license key via the proxy server (used only with one of the previously mentioned options — --GetDemo or --GetRegistered).

For further information about licensing Dr.Web products, refer to the section Licensing.

To register a serial number, an internet connection is required.

log

Purpose: display the latest log records of Dr.Web for UNIX Mail Servers in the console (the stdout stream, similar to the tail command).

Arguments: none.

Options

-s [--Size] <number>—the number of the last log records that are to be displayed on a screen.

-c [--Components] <components list>—the list of component identifiers, which records are displayed. Identifiers are defined with comma separation. If the argument is not defined, all available records logged by all components are displayed.

Actual identifiers of the installed components (e.g. internal component names displayed in the log) can be displayed with the appinfo command (see above).

-f [--Follow]—wait for new messages in log and display them once they are received (interrupt waiting by pressing CTRL+C)

stat

Purpose: display statistics about the operation of components that process files or about the operation of the network data scanning agent Dr.Web Network Checker (press CTRL+C or Q to interrupt displaying the statistics).

The statistics output includes:

a name of the component that initiated file scanning;

component PID;

an average number of files processed per second during the last minute, 5 minutes, 15 minutes;

a percentage of using the cache of the scanned files;

an average number of scan errors per second.

For the distributed scanning agent, the following information is displayed:

a list of local clients that initiated scanning;

a list of remote hosts that received files for scanning;

a list of remote hosts that sent files for scanning.

For local clients of the distributed scanning agent, their PID and name are specified; for remote clients—an address and port of the host.

For both clients—local and remote—the following information is displayed:

an average number of files scanned per second;

an average number of sent and received bytes per second;

an average number of errors per second.

Arguments: none.

Options

-n [--netcheck]—display statistics on operation of the network data scanning agent

lookup <type>@<tag>[@<template>]

Purpose: Verify data source connection settings.

Arguments:

<type>—a data source type. The following values are allowed: ldap, ad, pq, sqlite, mysql, redis, allmatch, regex, cidr, mask. These types are characterized if the description of Dr.Web LookupD settings.

<tag>—a data source identifier. For example, if the [LookupD.LDAP.auth1] section is created in the unified configuration file, auth1 will be an identifier of a data source of the LDAP type.

<template>—a template (string) to search in a data source. Optional argument. If the template is set, a search for it is performed and the true value (found) or the false value (not found) is returned.

Options

--User <user name>—a user name to connect to the data source.

--Domain <domain name>—a domain name to connect to the data source.

Note that this option can be used only together with the --User option.

-d [--Debug]—show debug information.

Examples

$ drweb-ctl lookup --user user --domain d1 "mysql@test1"