The Dr.Web Scanning Engine component operating in daemon mode receives requests from other Dr.Web Mail Security Suite components to scan file system objects (files and boot records) for embedded threats, queues scanning tasks and scans requested objects with Dr.Web Virus-Finding Engine. If a threat is detected in a scanned object that must be cured according to the scanning task, the scanning engine attempts to cure it if this action is applicable.
The scanning engine, Dr.Web Virus-Finding Engine and virus databases form a single entity and cannot be separated. The scanning engine downloads the virus databases and provides an operation environment for cross-platform Dr.Web Virus-Finding Engine. The virus databases and the scanning engine are updated by the Dr.Web Updater component included in Dr.Web Mail Security Suite but not being a part of the scanning engine. The update component is run by the Dr.Web ConfigD configuration management daemon periodically or forcibly in response to a user command. In addition, if Dr.Web Mail Security Suite operates in centralized protection mode, the virus databases and the scanning engine are updated by Dr.Web ES Agent, which interacts with a centralized protection server and receives updates from it.
Dr.Web Scanning Engine can be controlled by the Dr.Web ConfigD configuration management daemon or operate in standalone mode. In the former case, the daemon starts the engine and ensures that the virus databases are up to date. In the latter case, the engine is started and the virus databases are updated by an external application that uses the engine. Both the Dr.Web Mail Security Suite components that make requests to the scanning engine for scanning files and external applications use the same API.
|
You can create your own component (an external application) using Dr.Web Scanning Engine for scanning files. For this purpose, Dr.Web Scanning Engine provides a custom API based on the Google Protobuf technology. To obtain the Dr.Web Scanning Engine API guide and examples of client application code using Dr.Web Scanning Engine, contact the partner relations department of the Doctor Web company (https://partners.drweb.com/). |
Received scanning tasks are automatically distributed in queues with different priorities (high, normal and low). Selection of a queue for a task depends on the component that created the task. For example, tasks received from file system monitors are placed in a high-priority queue, because response time is important while monitoring file system objects. The scanning engine collects statistics on its usage, including the number of all tasks received for scanning and queue lengths. As an average load rate, the scanning engine uses an average length of queues per second. This rate is averaged for the last minute, last 5 minutes and last 15 minutes.
Dr.Web Virus-Finding Engine supports a signature analysis (signature-based detection of threats covered by virus databases) and other methods of heuristic and behavioral analyses designed for detection of potentially dangerous objects based on machine instructions and other attributes of executable code.
|
Heuristic analysis cannot guarantee highly reliable results and may allow for the following errors: •Errors of the first type. These errors occur when a safe object is detected as malicious (false positive detections). •Errors of the second type. These errors occur when a malicious object is detected as safe. Thus, objects detected by the heuristic analyzer are treated as Suspicious. |
It is recommended that you quarantine suspicious objects. After virus databases are updated, such files can be scanned using the signature analysis. Keep the virus databases up to date in order to avoid errors of the second type.
Dr.Web Virus-Finding Engine allows to scan and cure both unpacked and packed files and objects inside various containers, such as archives, email messages and so on.