Operating Principles

The component operates as a service which receives requests to scan file system objects (files and boot disk records) from the Dr.Web for UNIX Mail Servers components on embedded threats. It also queues scanning tasks and scans requested objects by using the Dr.Web Virus-Finding Engine scan engine. If a threat is detected and it must be cured according to the scanning task, the scan engine attempts to cure it if this action can be applied to the scanned object.

The scanning engine, the Dr.Web Virus-Finding Engine scan engine, and the virus databases form one unit and cannot be separated: the scan engine downloads virus databases and provides the operation environment for the cross-platform scan engine Dr.Web Virus-Finding Engine. The virus databases and the scan engine are updated by the Dr.Web Updater update component that is included in Dr.Web for UNIX Mail Servers, but this component is not a part of the scan engine. The update component is run by the Dr.Web ConfigD configuration daemon periodically or forcefully, if the corresponding command is sent by the user. Moreover, if Dr.Web for UNIX Mail Servers operates in the centralized protection mode, updating of virus databases and the scan engine is performed by the Dr.Web ES Agent. The latter component interacts with the centralized protection server and receives the updates.

The Dr.Web Scanning Engine can operate both under management of the configuration daemon Dr.Web ConfigD and in an autonomous mode. In the former case, the daemon runs the engine and ensures that anti-virus databases are up to date. In the latter case, the engine startup and the updating of virus databases is performed by an external application that uses the engine. The Dr.Web for UNIX Mail Servers components that issue requests to the scan engine asking it to scan files use the same interface as other external applications.

Users are provided with the opportunity to create own component (external application) using Dr.Web Scanning Engine for files checks. For this, Dr.Web Scanning Engine contains a special API, based on Google Protobuf. To obtain Dr.Web Scanning Engine API guide and examples of client application using Dr.Web Scanning Engine, contact Doctor Web partner care department (https://partners.drweb.com/).

Received tasks are automatically distributed into queues with different priorities: high, normal and low. Selection of the queue depends on the component that created a task: for example, tasks created by a file system monitor receive high priority as response time is important for monitoring. The scan engine computes statistics of its operations, including the number of all tasks received for scanning and the queue length. As the average load rate, the scan engine uses the average length of queues per second. This rate is averaged for the last minute, last 5 minutes and last 15 minutes.

The Dr.Web Virus-Finding Engine scan engine supports signature analysis (signature-based threat detection) and other methods of heuristic and behavioral analysis designed for detection of potentially dangerous objects based on machine instructions and other attributes of executable code.

Heuristic analysis cannot guarantee highly reliable results and may commit the following errors:

Errors of the first type. These errors occur when a safe object is detected as malicious (false positive detections).

Errors of the second type. These errors occur when a malicious object is detected as safe.

Thus, objects detected by the heuristics analyzer are treated as Suspicious.

It is recommended that you choose to move suspicious objects to quarantine. After virus databases are updated, such files can be scanned using signature analysis. Keep the virus databases up to date in order to avoid errors of the second type.

The Dr.Web Virus-Finding Engine scan engine allows to scan and cure both files and packed objects or objects in different containers (such as archives, email messages, and so on).