Operating Principles

This component is used to access any file system objects (files, directories, boot records). It is started with superuser (root) privileges.

It indexes all scanned files and directories and stores data about scanned objects in a special cache to avoid repeated scanning of the objects that have been already scanned and have not been modified since that (in this case, if a request to scan such an object is received, the previous scan result retrieved from the cache is returned).

When requests to scan file system objects are received from Dr.Web for UNIX Mail Servers components, it checks whether the requested object requires scanning. If so, a scanning task is generated for Dr.Web Scanning Engine. If the scanned object contains a threat, Dr.Web File Checker puts it in the registry of detected threats and applies an action to neutralize it (cure, delete or quarantine), if this action has been specified by the client component that initiated the scanning as a reaction to the threat. The scanning can be initiated by different components of Dr.Web for UNIX Mail Servers.

During scanning of the requested file system objects, the file-checking component generates a report detailing scanning results and applied actions to neutralize threats, if any, and sends this report to the client component that requested scanning.

Apart from the standard file scanning method, the following special methods are available for internal use:

•The “flow” method—a method for scanning files in stream. A component, which uses this scanning method, initializes parameters of scanning and threat neutralization only once. These parameters will be further applied to all requests to scan files from the component.

•The “proxy” method—a method for file scanning consisting in that the file-checking component only scans files for threats without applying any actions to them and without registering the detected threats (these actions are fully delegated to the component that initiated the scanning). This method is used by the Dr.Web ClamD component.

Files can be scanned with the “flow” method using the flowscan command of the Dr.Web Ctl utility (started with the drweb-ctl command). However, for a normal on-demand scanning, it is recommended that you use the scan command.

During its operation, the file-checking component not only maintains threat registry and manages quarantine, but also collects overall file scan statistics, averaging the number of files scanned per second for the last minute, last 5 minutes, last 15 minutes.