Command-Line Call Format

1. Command Format for Calling the Command-Line Utility to Manage the Product

The call format for the command-line tool which manages Dr.Web for UNIX Mail Servers operation is as follows:

$ drweb-ctl [<general options> | <command> [<argument>] [<command options>]]

where:

<general options>—options that can be applied on startup when the command is not specified or can be applied for any command. Not mandatory for startup;

<command>—command to be performed by Dr.Web for UNIX Mail Servers (for example, start scanning, output the list of quarantined objects, and other commands);

<argument>—command argument. Depends on the specified command. It can be missing for certain commands;

<command options>—options for managing the operation of the specified command. They can be omitted for some commands.

2. General Options

The following general options are available:

Option

Description

-h, --help

Show general help information and exit. To display the help information on any command, use the following call:

$ drweb-ctl <command> -h

-v, --version

Show information on the module version and exit

-d, --debug

Show debug information upon execution of the specified command. It cannot be executed if a command is not specified. Use the call:

$ drweb-ctl <command> -d

3. Commands

Commands to manage Dr.Web for UNIX Mail Servers can be divided into the following groups:

Anti-virus scanning commands.

Commands to manage updates and operation in the centralized protection mode.

Configuration management commands.

Commands to manage detected threats and quarantine.

Information commands.

To request help about this component of the product from the command line, use the following command man 1 drweb-ctl.

3.1. Anti-virus Scanning Commands

The following commands to manage anti-virus scanning are available:

Command

Description

scan <path>

Purpose: to initiate the scan of the specified file or directory by the file scanning component Dr.Web File Checker.

Arguments

<path>—path to the file or directory to be scanned (the path can be relative).

This argument may be omitted if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see Usage Examples) and the --stdin or --stdin0 option.

Options

-a [--Autonomous] runs an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of threats detected displayed by threats command (see below), and information on them will not be sent to the centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--stdin—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the next line character ('\n').

--stdin0—get the list of paths to scan from the standard input string (stdin). Paths in the list need to be separated by the zero character NUL ('\0').

When using --stdin and --stdin0 options, the paths on the list should not contain patterns or regular expressions for a search. We recomment that you use the --stdin and --stdin0 options to process a paths list generated by an external utility, for example, find in the scan command (see Usage Examples).

--Exclude <path>—an excluded path. The path can be relative and contains a file mask (with the following wildcards: '?' and '*', as well as symbol classes '[ ]', '[! ]', '[^ ]').

Facultative option; can be set more than once.

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000.

--MaxSizeToExtract <size>—specify the maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter will be skipped when scanning. There is no size limit for files in archives by default. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when curing action (Cure) failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object by heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware programs.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

If threat is detected in a file placed in a container (an archive, an email message, and so on), instead of removing the file (Delete), the tool moves the container to the quarantine (Quarantine).

--FollowSymlinks—resolve symlinks automatically

bootscan
<disk drive> | ALL

Purpose: start scanning boot records on the specified disks via the file scan component Dr.Web File Checker. Both MBR and VBR records are scanned.

Arguments

<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.

Options

-a [--Autonomous] runs an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed by threats command (see below), and information on them will not be sent to the centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ShellTrace—enable display of additional debug information when scanning a boot record

procscan

Purpose: initiates scanning of executables containing the code of currently running system processes with the Dr.Web File Checker component. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.

Arguments: none.

Options

-a [--Autonomous] runs an autonomous copy of Dr.Web Scanning Engine and Dr.Web File Checker to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of detected threats displayed by threats command (see below), and information on them will not be sent to the centralized protection server, if Dr.Web for UNIX Mail Servers is controlled by it.

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when curing action (Cure) failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object by heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware programs.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

Note that if a threat is detected in an executable file, Dr.Web for UNIX Mail Servers terminates all processes started by the file.

netscan [<path>]

Purpose: start distributed scanning of the specified file or directory via the Dr.Web Network Checker agent for network data scanning. If there are no configured connections to other hosts that are running Dr.Web for UNIX, then the scanning will be done only via the locally-available scan engine (similar to the scan command).

Arguments

<path>—path to the file or directory which is selected to be scanned.

If this argument is omitted, the data received via the input thread stdin is scanned.

Options

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000.

--MaxSizeToExtract <size>—specify the maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter will be skipped when scanning. There is no size limit for files in archives by default. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as size in bytes.

Default value: none.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

flowscan <path>

Purpose: start scanning the specified file or directory via Dr.Web File Checker using the “flow” method.

For on-demand scanning of files and directories, it is recommended that you use the scan command.

Arguments

<path>—path to the file or directory which is selected to be scanned.

Options

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000.

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report.

--OnIncurable <action>—an action to perform upon detection an incurable threat or when curing action (Cure) failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnSuspicious <action>—an action to perform upon detection of a suspicious object by heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnAdware <action>—an action to perform upon detection of adware programs.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report.

If threat is detected in a file placed in a container (an archive, an email message, and so on), instead of removing the file (Delete), the tool moves the container to the quarantine (Quarantine).

rawscan <path>

Purpose: start “raw” scanning of the specified file or directory by Dr.Web Scanning Engine directly, without the use of Dr.Web File Checker.

Note that threats detected by “raw” scanning are not included into the list of detected threats that is displayed by the threats command (see below).

 

It is recommended that you use this command only to debug the functioning of Dr.Web Scanning Engine. Note that the command outputs the “cured” status, if at least one threat is neutralized of those threats that are detected in a file (not all threats might be neutralized). Thus, it is not recommended to use this command if you need thorough file scanning. In the latter case it is recommended to use the scan command.

Arguments

<path>—path to the file or directory which is selected to be scanned.

Options

--ScanEngine <path>—path to the UNIX socket of the Dr.Web Scanning Engine. If not specified, an autonomous instance of the scan engine is started (which will be shut down once the scanning is completed).

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000.

--MaxSizeToExtract <size>—specify the maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter will be skipped when scanning. There is no size limit for files in archives by default. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On.

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No.

--ListCleanItem—enable outputting the list of clean (non-infected) files found inside a container that was scanned.

--ShellTrace—enable display of additional debug information when scanning a file.

--Output <path to file>—duplicate the output of the command to the specified file

remotescan
<host> <path>

Purpose: initiates scanning of the specified file or directory on the specified remote host by connecting to it via SSH or Telnet.

Note that threats detected by remote scanning will not be neutralized and also will not be included into the list of detected threats that is displayed by the threats command (see below).

 

This function can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers, set-top boxes, and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, and so on), or via running an anti-virus software installed on them.

Arguments

<host>—IP address or a domain name of the remote host.

<path>—path to the file or directory to be scanned (the path must be absolute).

Options

-m [--Method] <SSH|Telnet>—remote host connection method (protocol).

If method is not specified, SSH is used.

-l [--Login] <name>—login (user name) used for authorization on the remote host via the selected protocol.

If a user name is not specified, there will be an attempt to connect to a remote host on behalf of the user who has launched the command.

-i [--Identity] <path to file>—path to the file containing a private key used for authentication of the specified user via the selected protocol.

-p [--Port] <number>—number of the port on the remote host for connecting via the selected protocol.

Default value: default port for the selected protocol (22 for SSH, 23 for Telnet).

--ForceInteractive—use the SSH interactive session (only for SSH connections).

Optional feature.

--TransferListenAddress <address>—an address, listened to receive files transferred from the remote device for scanning.

Optional feature. If not indicated, an arbitrary address is used.

--TransferListenPort <port>—a port, listened to receive files transferred from the remote device for scanning.

Optional feature. If not indicated, an arbitrary port is used.

--TransferExternalAddress <address>—an address specified to the remote device to send files for scanning.

Optional feature. If not indicated, use the --TransferListenAddress value, or the outgoing address of the already established session.

--TransferExternalPort <port>—a port to transfer files for scanning, specified for the remote device.

Optional feature. If not indicated, an automatically determined port is used.

--Password <password>—password used for authentication of a user via the selected protocol.

Please note that the password is transferred as a plain text.

--Exclude <path>—the path to be excluded from scanning. The path can contain a file mask with the following allowed symbols: '?' and '*', as well as the symbol classes '[ ]', '[! ]', '[^ ]'. The path (including the path with the file mask) mast be absolute.

Facultative option; can be set more than once.

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, time on scanning is not limited.

Default value: 0.

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MailMaxLevel <number>—set the maximum nesting level when scanning files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

If the value is set to 0, nested objects will be skipped during scanning.

Default value: 8.

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be at least equal to 2.

Default value: 3000.

--MaxSizeToExtract <size>—specify the maximum size for files enclosed in archives. Files whose size is greater than the value of this parameter will be skipped when scanning. There is no size limit for files in archives by default. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as size in bytes.

Default value: none.

--HeuristicAnalysis <On|Off>—enable or disable heuristic analysis during the scanning.

Default value: On

checkmail
<path to file>

Purpose: performs scan of an email message saved to a file for threats, signs of spam, malicious links, or non-compliance with rules of mail processing (using the emails processing component Dr.Web MailD). The console output thread (stdout) will display the message scanning results and the action applied to this message while scanning by the email processing component Dr.Web MailD.

Arguments

<path to file>—path to file of the email message that requires scanning. Mandatory argument.

Options

--Report <type>—specifies the type of scan report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

Default value: BRIEF.

-r [--Rules] <list of rules>—indicate a list of rules to follow during an email message scanning.

If the rules are not indicated, the following set of rules used by default will be applied:

threat_category in (KnownVirus, VirusModification, UnknownVirus, Adware, Dialer) : REJECT
total_spam_score gt 0.80 : REJECT
url_category in (InfectionSource, NotRecommended, CopyrightNotice) : REJECT

If Dr.Web Anti-Spam is not installed, the scanning rule for spam (the second string) will be automatically excluded from the set.

-c [--Connect] <IP>:<port>—indicate a network socket that will be used as an address for connection by a sender of the scanned message.

-e [--Helo] <name>—indicate an identifier of a client that sent a message (IP address or FQDN host, as for the SMTP command HELO/EHLO).

-f [--From] <email>—indicate an email address of a sender (as for the SMTP command MAIL FROM).

If the address is not indicated, the respective address from an email will be used.

-t [--Rcpt] <email>—indicate an email address of a recipient (as for the SMTP command RCPT TO).

If the address is not indicated, the respective address from an email will be used.

If emails processing component is not installed, calling this command will return an error.

 

mailquarantine

Purpose: Configure the auxiliary Dr.Web Mail Quarantine component that manages email message queues.

Arguments: none.

Options

--Flush—move scheduled messages from the specified queue to the queue for immediate processing. Requires the --Queue option to be specified. Use the following call:

$ drweb-ctl mailquarantine --Queue <queue> --Flush

--Show—show the specified message queue. Requires the --Queue option to be specified. Use the following call:

$ drweb-ctl mailquarantine --Queue <queue> --Show

--Stat—show statistics on all message queues.

--CheckHealth—perform a consistency check on the message database.

--FixHealth—fix consistency errors in the message database.

-q [--Queue] <queue>—specify the message queue to be processed.

Allowed values:

SmtpFresh—messages to be checked in SMTP mode.

SmtpAccepted—messages checked and accepted in SMTP mode.

BccFresh—messages to be checked in BCC mode.

BccAccepted—messages checked and accepted in BCC mode.

-l [--Limit] <number>—set the maximum number of displayed messages from the selected queue.

-d [--Debug]—show debug information upon execution of the specified command. It cannot be executed if a command is not specified. Use the call:

$ drweb-ctl mailquarantine <command> -d

 

3.2. Commands to manage updates and operation in the centralized protection mode

The following commands for managing updates are available, as well as commands for operation in the centralized protection mode:

Command

Description

update

Purpose: initiates updates of anti-virus components (virus databases, the scan engine, etc., depending on the distribution) from the Doctor Web update servers or the local cloud via Dr.Web MeshD, terminates the updating process if already running, or performs rollback of the latest update to previous versions of the updated files.

The command has no effect if Dr.Web for UNIX Mail Servers is connected to the centralized protection server.

Arguments: none.

Options

-l [--local-cloud] uses the local cloud connected to Dr.Web for UNIX Mail Servers to download the updates. If the option is not specified, the updates are downloaded from the Doctor Web update servers (default behavior).

--From <path>—apply updates from a specified directory offline.

--Path <path>—store files for updating offline in a specified directory; if this directory already has files, then they will be updated.

--Rollback—rollback the last update, and restore the previous version of files that have been updated during the last update.

--Stop—terminate the running updating process

esconnect
<server>[:<port>]

Purpose: connects Dr.Web for UNIX Mail Servers to the specified centralized protection server (for example, Dr.Web Enterprise Server). For details on the operation modes, refer to the Operation Modes.

Arguments

<server>—IP address or network name of the host on which the centralized protection server is operating. This argument is mandatory.

<port>—port number used by the centralized protection server. The argument is optional and should be specified only if the centralized protection server uses a non-standard port.

Options

--Certificate <path>—a file path to a certificate of the centralized protection server, the connection to which will be established.

--Login <ID>—login (workstation identifier) used for connection to the centralized protection server.

--Password <password>—password for connection to the centralized protection server.

--Group <ID>—identifier of the group to which the workstation is added on connection.

--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the centralized protection server groups (can be specified only together with the --Group option).

--Compress <On|Off>—enables (On) or disables (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.

--Encrypt <On|Off>—enables (On) or disables (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.

--Newbie—connect as a “newbie” (get a new account on the server).

This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.

esdisconnect

Purpose: disconnect Dr.Web for UNIX Mail Servers from the centralized protection server and switch its operation to standalone mode.

The command has no effect if Dr.Web for UNIX Mail Servers already operates in standalone mode.

Arguments: none.

Options: none.

This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.

3.3. Configuration Management Commands

The following commands to manage configuration are available:

Command

Description

cfset
<section>.<parameter> <value>

Purpose: to change the active value of the specified parameter in the current configuration of Dr.Web for UNIX Mail Servers.

Arguments

<section>—name of the configuration file section where the parameter resides. This argument is mandatory.

<parameter>—name of the parameter. The argument is mandatory.

<value>—new parameter value. This argument is mandatory.

To specify the parameter value, we use the format <section>.<parameter> <value>. Assignment character '=' is not used here.

Note that if you want to indicate several parameter values, you need to repeatedly call the cfset command, as many times as the number of parameter values you want to add. To add a new value to the list of parameter values, you need to use the -a option (see below). You cannot specify the string <parameter> <value 1>, <value 2> as an argument, because the string "<value 1>, <value 2>" will be considered one value of the <parameter>.

For description of the configuration file, refer to the section Appendix D. Dr.Web for UNIX Mail Servers Configuration File, as well as the documentation page displayed by man 5 drweb.ini.

Options

-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can have several values, specified as a list). You should also use this option to when adding a new parameter group identified by a tag.

-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, then the current parameter value (the entire list of values, if the parameter currently holds several values) are substituted with the specified value.

For sections that describe the individual parameters for connection points of Dr.Web ClamD, using the -r option changes the parameter value in the individual settings section to the value of its parent parameter in the settings of this component.

If you need to add a new connection point <point> for Dr.Web ClamD, use the following command:

cfset ClamD.Endpoint.<point> -a, for example:
cfset ClamD.Endpoint.point1 -a

This command requires drweb-ctl to be started with root privileges. If necessary, use the su or sudo commands.

cfshow
[<section>[.<parameter>]]

Purpose: displays parameters of the current configuration of Dr.Web for UNIX Mail Servers.

The command to display parameters is specified as follows <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed.

Arguments

<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed.

<parameter>—name of the displayed parameter. Optional argument. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed.

Options

--Uncut—display all configuration parameters (not only those used with the currently installed set of components). If the option is not specified, only parameters used for configuration of the installed components are displayed.

--Changed—display only those parameters whose values differ from the default ones.

--Ini—display parameter values in the INI file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

--Value—display only value of the specified parameter (the <parameter> argument is mandatory in this case)

reload

Purpose: send the SIGHUP signal to the Dr.Web ConfigD configuration daemon.

On receiving this signal, the Dr.Web ConfigD configuration daemon rereads the configuration and sends its changes to the Dr.Web for UNIX Mail Servers components. Then, the configuration daemon reopens the Dr.Web for UNIX Mail Servers log, restarts the components that use virus databases (including the scan engine), and attempts to restart those components which were terminated abnormally.

Arguments: none.

Options: none

3.4. Commands to Manage Detected Threats and Quarantine

The following commands for managing threats and quarantine are available:

Command

Description

threats
[<action> <object>]

Purpose: apply the specified action to detected threats, selected by their identifiers. Type of the action is specified by the command option.

If the action is not specified, displays information on detected but not neutralized threats. The information on threats is displayed according the format, specified using the optional --Format option. If the --Format option is not specified, for each threat the following information is displayed:

Identifier assigned to the threat (its ordinal number).

The full path to the infected file.

Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

Information about the file: size, the file owner’s user name, the time of last modification.

History of operations applied to the threat: detection, applied actions, and so on.

Arguments: none.

Options

--Format "<format string>"—displays information on threats in the specified format. The description of format string is below.

If this option is specified along with any action options, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified along with any action options, it is ignored.

--Directory <list of directories>—displays only threats detected in files in directories from <list of directories>.

If this option is applied along with any options mentioned below, it is ignored.

--Cure <threat list>—attempt to cure the listed threats (list threat identifiers separating them with commas).

--Quarantine <threat list> moves the listed threats to quarantine (list threat identifiers are separated with commas).

--Delete <threat list>—delete the listed threats (list threat identifiers separating them with commas).

--Ignore <threat list>—ignore the listed threats (list threat identifiers separating them with commas).

If you need to apply the action to all detected threats, specify All instead of <threat list>. For example, the command:

$ drweb-ctl threats --Quarantine All

moves all detected malicious objects to quarantine

quarantine
[<action> <object>]

Purpose: applies an action to the specified object in quarantine.

If an action is not specified, information on quarantined objects and their identifiers together with brief information on original files moved to quarantine is displayed. Information on isolated objects is displayed according a format, specified with optional --Format argument. If the --Format argument is not specified, for every isolated (quarantined) object the following information is displayed:

Identifier assigned to the quarantined object.

The original path to the file, before it was moved to quarantine.

The date when the file was put in quarantine.

Information about the file: size, the file owner’s user name, the time of last modification.

Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

Arguments: none.

Options

-a [--Autonomous] starts a separate instance of the Dr.Web File Checker file scanning component to perform the specified quarantine command and terminate it upon completion.

This option can be applied along with any options mentioned below.

--Format "<format string>"—displays information on quarantined objects in the specified format. The description of format string is below.

If this option is specified along with any action options, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified along with any action options, it is ignored.

--Discovery [<list of directories>,] searches for quarantine directories in the specified list of directories and add them to the consolidated quarantine upon detecting a threat. If the <list of directories> is not specified, it searches for quarantine directories in the common locations of the file system (volume mounting points and user home directories).

This option can be specified not only with the -a (--Autonomous) option (see above), but also with any options/actions listed below. Moreover, if the quarantine command is launched as an autonomous copy, that is, with the -a (--Autonomous) option but without the --Discovery option, then it is equivalent to the call of:

quarantine --Autonomous --Discovery

--Delete <object>—delete the specified object from quarantine.

Note that objects are deleted from quarantine permanently—this action is irreversible.

--Cure <object>—try to cure the specified object in the quarantine.

Note that even if the object was successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore option.

--Restore <object>—restore the specified object from the quarantine to its original location.

Note that this command may require drweb-ctl to be started with root privileges. You can restore the file from quarantine even if it is infected.

--TargetPath <path>—restores an object from the quarantine to the specified location: either as a file with the name specified here (if the <path> is a path to a file), or just to the specified directory (if the <path> is a path to a directory). A path can be an absolute as well as relative (referring to a current directory).

Note that this option can only be used in combination with the --Restore option.

As an <object>, specify the object identifier in quarantine. To apply the action to all quarantined objects, specify All instead of <object>. For example, the command:

$ drweb-ctl quarantine --Restore All --TargetPath test

restores all quarantined objects and puts them in test subdirectory, located in a current directory, from which drweb-ctl command was launched.

Note that for the --Restore All variant the additional option --TargetPath, if specified, must set a path to a directory, not a path to a file

Formatted output for threats and quarantine commands

The output format is defined using the format string, specified as the optional argument --Format. The format string must be specified in quotes. The format string can include common symbols (displayed “as is”), as well as special markers, output as certain information. The following markers are available:

1.Common for threats and quarantine commands:

Marker

Description

%{n}

New string

%{t}

Tabulation

%{threat_name}

The name of detected threat (virus) according Doctor Web classification

%{threat_type}

Threat Type (“known virus”, and so on) according Doctor Web classification

%{size}

Original file size

%{origin}

The full name of the original file with path

%{path}

Synonym for %{origin}

%{ctime}

Date/time of original file modifying in "%Y-%b-%d %H:%M:%S" format (for example, "2018-Jul-20 15:58:01")

%{timestamp}

Similar to %{ctime}, but in the UNIX timestamp format

%{owner}

Username of the original file owner

%{rowner}

The remote user owner of the original file (if not applicable or value is unknown it is replaced with ?)

2.Specific for threats command:

Marker

Description

%{hid}

The identifier of the threat record in the history of events associated with the threat

%{tid}

The threat identifier

%{htime}

Date/time of the event related to a threat

%{app}

The identifier of the Dr.Web for UNIX Mail Servers component which processed a threat

%{event}

The latest event related to a threat:

FOUND—a threat was detected;

Cure—a threat was cured;

Quarantine—a file with threat was moved to quarantine;

Delete—a file with threat was deleted;

Ignore—a threat was ignored;

RECAPTURED—a threat was detected again by an other component

%{err}

Error message text (if no error is replaced with an empty string)

3.Specific for quarantine command:

Marker

Description

%{qid}

The identifier of quarantined object

%{qtime}

Date/time of moving the object to quarantine

%{curetime}

Date/time of curing attempt of the object moved to quarantine (if not applicable or value is unknown it is replaced with ?)

%{cureres}

The result of the quarantined object curing attempt:

cured—a threat is cured;

not cured—a threat was not cured or no curing attempts were performed

Example

$ drweb-ctl quarantine --Format "{%{n} %{origin}: %{threat_name} - %{qtime}%{n}}"

This command displays quarantine contents as records of the following type:

{
<path to file>: <threat name> - <date of moving to quarantine>
}

3.5. Information Commands

The following information commands are available:

Command

Description

appinfo

Purpose: output information on the active Dr.Web for UNIX Mail Servers components.

The following information is displayed about each component that is currently running:

Internally-used name.

Process identifier GNU/Linux (PID).

State (running, stopped, and so on).

Error code, if the work of the component has been terminated because of an error.

Additional information (optional).

For the configuration daemon (drweb-configd) the following is displayed as additional information:

The list of installed components—Installed.

The list of components which must be launched by the configuration daemon—Should run.

Arguments: none.

Options

-f [--Follow]—waits for new messages on module status change and display them once such a message is received (CTRL+C interrupts the waiting)

baseinfo

Purpose: display the information on the current version of the scan engine and status of virus databases.

The following information is displayed:

Version of the scan engine.

Date and time when the virus databases that are currently used were issued.

The number of available virus records (in the virus databases).

The time of the last successful update of the virus databases and of the scan engine.

The time of the next scheduled automatic update.

Arguments: none.

Options

-l [--List]—displays the full list of downloaded files of virus databases and number of virus records in each file

certificate

Purpose: displays contents of the trusted Dr.Web certificate used by Dr.Web for UNIX Mail Servers. To save the certificate to the <cert_name>.pem file, you can use the following command:

$ drweb-ctl certificate > <cert_name>.pem

Arguments: none.

Options: none

events

Purpose: viewing of the Dr.Web for UNIX Mail Servers events. Apart from that, the command allows you to manage events (mark as read, remove).

Arguments: none.

Options

--Report <type>—specify the type of event report.

Allowed values:

BRIEF—brief report.

DEBUG—detailed report.

JSON—a serialized report in JSON format.

-f [--Follow]—waits for new events and displays them upon emergence (CTRL+C interrupts the standby).

-s [--Since] <date, time>—shows the events that occurred before the specified timestamp (<date, time> is specified as YYYY-MM-DD hh:mm:ss).

-u [--Until] <date, time>—shows the events that occurred no later than the specified timestamp (<date, time> is specified as YYYY-MM-DD hh:mm:ss).

-t [--Types] <type list>—shows only events of the specified types (separated by commas).

The following event types are available:

Mail—indicates that a threat has been detected in an email;

UnexpectedAppTermination—unexpected shutdown of a component.

To view all types of events, use All.

--ShowSeen—displays of already read events as well.

--Show <list of events>—displays the listed events (event identifiers are separated by commas).

--Delete <list of events>—removal of listed events (event identifiers are separated by commas).

--MarkAsSeen <list of events>—marks the listed events as read (event identifiers are separated with a comma).

If you want to mark as “read” or delete all events, specify All instead of <events list>. For example, the command:

$ drweb-ctl events --MarkAsSeen All

will mark as “read” all existing events

report <type>

Purpose: create a report on Dr.Web for UNIX Mail Servers events in the HTML format (the page body is output to the specified file).

Arguments

<type>—event type that required reporting (indicate one type). See possible values in the --Types option description of the events command above. A mandatory argument.

Options

-o [--Output] <path to file>—save the report to the specified file. The option is mandatory.

-s [--Since] <date, time>—reports events that occurred no earlier than the specified timestamp (<date, time> is specified as YYYY-MM-DD hh:mm:ss).

-u [--Until] <date, time>—reports the events that occurred no later than the specified timestamp (<date, time> is specified as YYYY-MM-DD hh:mm:ss).

--TemplateDir <path to directory>—a path to the directory that contains HTML report templates.

Options -s, -u, and --TemplateDir are not mandatory. For example, the following command:

$ drweb-ctl report Mail -o report.html

generates a report on all existing email message threat detection events, based on the default template, and saves the result in the report.html file in the current directory

idpass <identifier>

Purpose: display the password that has been generated by the scanning component of email messages Dr.Web MailD for the email message with the indicated identifier and used for the protection of enclosed archive with threats removed from the email message (i.e. if RepackPassword parameter is set in the component settings to HMAC(<secret>)).

Arguments

<identifier>—identifier of email messages.

Options

-s [--Secret] <secret>—Secret word used for generation of an archive password.

If a secret word is not indicated when the command is called, the current secret word <secret> is used. It is indicated in the Dr.Web MailD settings. And if RepackPassword parameter is not available or is set to a value different from HMAC(<secret>), the command will return an error

license

Purpose: show the information about the currently active license, or get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company website).

If no options are specified, then the following information is displayed (if you are using a license for the standalone mode):

License number.

Date and time when the license expires.

If you are using a license provided to you by the centralized protection server (for the use of the product in the centralized protection mode or in the mobile mode), then the appropriate message will be displayed.

Arguments: none.

Options

--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in the centralized protection mode, when the license is managed by a centralized protection server).

If the serial number is not the one provided for the demo period, you must first register it at the company website.

--Proxy http://<username>:<password>@<server address>:<port number>—get a license key file through a proxy server (used only with the --GetRegistered option).

For further information on licensing of Dr.Web products, refer to the Licensing section.

To register a serial number, an internet connection is required.

log

Purpose: displays the latest log records of Dr.Web for UNIX Mail Servers on console screen (in the stdout thread), similar to tail command.

Arguments: none.

Options

-s [--Size] <number>—the number of the last log records that are to be displayed on a screen.

-c [--Components] <components list>—the list of component identifiers, which records are displayed. Identifiers are defined with comma separation. If the argument is not defined, all available records logged by all components are displayed.

Actual identifiers of the components installed (e.g. internal components names, displayed in log) you can define by using the appinfo command (see above).

-f [--Follow]—waits for new messages in log and display them once such a message is received (interrupt waiting by pressing CTRL+C)

stat

Purpose: Output statistics about the operation of components that process files or about the operation of the network data scanning agent Dr.Web Network Checker (pressing CTRL+C or Q interrupts the statistics display).

The statistics output includes:

name of the component that initiated scanning.

PID of the component.

average number of files processed per second during the last minute, 5 minutes, 15 minutes.

usage percentage of the scanned files cache.

average number of scan errors per second.

For the distributed scanning agent, the following information is output:

list of local clients that initiated scanning.

list of remote hosts that received files for scanning.

list of remote hosts that sent files for scanning.

For local clients of the distributed scanning agent, their PID and name are specified; for remote clients—address and port of the host.

For both clients—local and remote—the following information is output:

average number of files scanned per second.

average number of sent and received bytes per second.

average number of errors per second.

Arguments: none.

Options

-n [--netcheck] outputs statistics on operation of the network data scanning agent