Operating Principles

This component is used to access any file system objects (files, directories, boot records). It is started with superuser (root) privileges.

It indexes all scanned files and directories and saves all the data about the objects that have been checked to a special cache to avoid repeated scanning of objects that have been already scanned and have not been modified since that (in this case, if a request to scan such an object is received, the previous scan result, retrieved from cache, is returned).

When requests to check file system objects are received from Dr.Web for UNIX Mail Servers components, it checks whether this object requires scanning. If so, a scanning task is generated for Dr.Web Scanning Engine. If the scanned object contains a threat, Dr.Web File Checker puts it into detected threats registry and neutralizes it (cures, deletes or quarantines) if this action has been specified by the client component that initiated the scanning as the reaction to a threat. The scanning can be initiated by various components of the product.

During the scanning, the file-checking component generates and sends to the client component a report detailing the results of the scanning and the applied actions, if any.

Apart from the standard scanning method, the following special methods are available for internal use:

•The “flow” scanning method. A client component that uses this scanning method initializes detection and neutralization parameters only once. These parameters will be applied to all future requests to scan a file coming from this client component.

•The “proxy” scanning method. When this method is used, the file-checking component scans files without applying any actions to detected threats and without keeping any records about the detected threats to permit future action. Any necessary actions must be applied by the component that initiated the scanning process. This method is used by the Dr.Web ClamD component.

Files can be scanned with the “flow” scanning method using the using the flowscan command of the Dr.Web Ctl utility (launched with the drweb-ctl command). However, for a normal on-demand scanning, it is recommended that you use the scan command.

During its work, the file scanning component not only keeps a threats registry and manages quarantine, but also collects overall file scan statistics, averaging the number of files checked within a second in the last minute, last 5 minutes, last 15 minutes.