Placing in Quarantine
Quarantine directories of Dr.Web for UNIX Mail Servers 11.1 serve for isolation of files that pose a threat to system security and cannot be currently cured. Such threats are those that are unknown to Dr.Web for UNIX Mail Servers (that is, a virus is detected by the heuristic analyzer but the virus signature and method to cure are absent in the databases) or those that caused an error during curing. Moreover, a file can be quarantined at user request if the user selected this action in the list of detected threats or specified this action in settings as reaction to this threat type.
When a file is quarantined, it is renamed according to special rules. Renaming of isolated files prevents their identification by users or applications and complicates access to them in case of attempt to bypass quarantine management tools implemented in Dr.Web for UNIX Mail Servers. Moreover, when a file is moved to quarantine, the execution bit is reset to prevent an attempt to run this file.
Quarantine directories are located in:
•user home directory (if multiple user accounts exist on the computer, a separate quarantine directory can be created for each of the users);
•root directory of each logical volume mounted to the file system.
Dr.Web quarantine directories are always named as .com.drweb.quarantine and are not created until the action is applied. At that, only a directory required for isolation of a concrete object is created. When selecting a directory, the file owner name is used: search is performed upwards from the location where the malicious object resides and if the owner home directory is reached, the quarantine storage created in this directory is selected. Otherwise, the file is isolated in the quarantine created in the root directory of the volume (which is not always the same as the file system root directory). Thus, any infected file moved to quarantine is always located on the volume, which provides for correct operation of quarantine in case several removable data storages and other volumes are mounted to different locations in the system.
A user can manage quarantine contents from the command line using the utility Dr.Web Ctl, or via the management web interface (if it is installed). Every action is applied to the consolidated quarantine; that is, changes affect all quarantine directories available at the moment.