1.Detection and neutralization of threats. Scanning for malicious programs of any kind (various viruses, including those that infect mail files and boot records, trojans, email worms and so on) and unwanted software (adware, joke programs and dialers). For details on threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•a signature analysis—a scan method allowing to detect known threats registered in virus databases;
•a heuristic analysis—a set of scan methods allowing to detect threats that are not known yet;
•cloud-based threat detection technologies using the Dr.Web Cloud service that collects up-to-date information about recent threats detected by various Dr.Web anti-virus products.
|
The heuristic analyzer may cause false-positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you quarantine such files and send them for analysis to the Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats. |
When scanning the file system on the user request, it is possible to perform either a full scan of all the file system objects available to the user, or a custom scan of the specified objects only (individual directories or files that meet the specified criteria). In addition, it is possible to perform an individual check of boot records of volumes and executable files which started the processes that are currently active in the system. In the latter case, when a threat is detected, a malicious executable file is not only neutralized, but all processes started by it are forcibly terminated. On systems that implement a mandatory model of file access with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in a permanent threat registry, except those threats that were detected in autonomous copy mode.
The Dr.Web Ctl command-line tool bundled with Dr.Web for UNIX Mail Servers allows to scan file systems of remote network hosts providing remote terminal access via SSH or Telnet for threats.
|
Remote scanning can be used only for detection of malicious or suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, firmware can be updated on routers and other “smart” devices; computing machines require connecting to them (including in remote terminal mode) and performing corresponding operations in their file system (deleting or moving files, and so on), or running anti-virus software installed on them. |
2.Email message scanning. Dr.Web for UNIX Mail Servers supports various modes of email message scanning.
•The mode of an external filter connected to a mail server (MTA). Dr.Web for UNIX Mail Servers can be integrated with any mail server that supports interfaces for connecting Milter, Spamd and Rspamd external filters. In filter mode, upon an initiative of the MTA, all email messages received by the server are sent to Dr.Web for UNIX Mail Servers via the conjugation interface for scanning. Depending on the capabilities of the interface, Dr.Web for UNIX Mail Servers operating as a filter is able to:
▫Inform the server of email message scanning results. In this case, the mail server must independently process the email message according to received results (reject the delivery, add headers or modify email contents, if the scanning result suggests the presence of threats).
▫Instruct the mail server to receive or reject the message.
▫Modify the email message by adding headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as a password-protected archive. The recipient of the email message can request the password for unpacking the protected archive from a mail server administrator. If required, though not recommended, the administrator can allow using archives not protected with a password.
|
Sending commands to the mail server or returning a modified message are supported only by the Milter interface. The Spamd and Rspamd interfaces do not allow Dr.Web for UNIX Mail Servers to send commands to the server and return the modified email message. One of two verdicts will be returned to the server: “the message is considered spam” or “the message is not considered spam”. All actions on processing of such message (for example, adding or modifying headers, rejecting the message, sending it to the recipient and so on) should be defined in MTA settings. To return the reason to the MTA why the email message is rejected and possibly the actions that the MTA should apply to the email message, text variables are used (report for Spamd and action for Rspamd). The variables are returned by the Lua procedure for message processing and can be processed in the MTA (for example, ACL for Exim). |
•SMTP proxy mode, which scans SMTP traffic to be further transmitted to one or several target MTA/MDA. In fact, this mode is similar to the previous one: Dr.Web for UNIX Mail Servers connects (via Milter, Spamd or Rspamd) to an MTA (for example, Postfix) that is configured to transmit email messages to other MTAs (for example, by routing of messages sent to different domains and so on).
•The transparent proxy mode for mail protocols. In this mode, Dr.Web for UNIX Mail Servers (using the SpIDer Gate component) acts as a proxy server embedded in a channel for sharing data between an MTA and/or a MUA transparently for the sharing parties and scanning the transmitted messages upon sending and receiving them. The product can be transparently embedded in the main mail protocols, such as SMTP, POP3 and IMAP. In this mode, and also depending on possibilities of the protocol, Dr.Web for UNIX Mail Servers can transmit the email message to the recipient (unmodified or after adding headers or repacking the message) or block its delivery (among other things, having returned a protocol error message to the sender or the recipient).
|
The transparent proxy mode is available only on OSes of the GNU/Linux family.
Dr.Web for UNIX Mail Servers is not a fully-fledged mail server and can operate in proxy mode only when a mail server (an MTA) is installed on the same host where Dr.Web for UNIX Mail Servers operates. |
Depending on the distribution and settings, Dr.Web for UNIX Mail Servers runs the following checks of email messages:
•detection of malicious attachments that contain threats;
•search for links to malicious websites or websites covered by unwanted categories;
•detection of signs of phishing and spam (using a DKIM technology, an automatically updated spam filtering rule database, and a mechanism of checking the presence of the sender’s address in DNSxL black lists);
•compliance with the security criteria established by the administrator of the mail system individually (scanning of a body and headers of messages using regular expressions).
To scan links to unwanted websites, which can be present in email messages, an automatically updated database of web resource categories bundled with Dr.Web for UNIX Mail Servers is used. Furthermore, a request is sent to Dr.Web Cloud to check whether other Dr.Web products marked a web resource referred by an email message as malicious.
|
In Dr.Web for UNIX Mail Servers, starting from version 11.0, a list of possible actions that can be applied to an email message is significantly reduced. Starting from version 11.0, Dr.Web for UNIX Mail Servers applies only the following actions to email messages: •checking email messages for compliance with the criteria established by the administrator and scanning for signs of spam (including by checking the presence of the sender’s domain in DNSxL black lists if enabled); •search for links to malicious websites or websites covered by unwanted categories; •detecting malicious attachments. If the protocol that was used to receive an email message for scanning and the party that sent the email message (MTA/MDA or MUA) support modification of messages sent for scanning, then, besides standard actions “Pass” and “Reject”, Dr.Web for UNIX Mail Servers can repack email messages on the basis of one of predetermined repack templates (during repacking, all threats are moved to a protected archive attached to the email message, and a notification of threats and/or unwanted contents is added to the email body). Furthermore, basic functionality that adds and modifies email headers is supported. All other actions (for example, sending notifications to an administrator, irreversibly deleting or renaming attached files), if they are necessary, should be implemented by means of the protected mail server (MTA/MDA). If necessary, a set of custom third-party filter plug-ins, which are designed for such processing, can be connected to the server.
Depending on the distribution, Dr.Web Anti-Spam can be unavailable in Dr.Web for UNIX Mail Servers. In this case, email messages will not be scanned for signs of spam. |
3.
•Novell Storage Services volumes. Write operations of the NSS file storage users are monitored. This feature allows to detect and neutralize malware instantly at an attempt of copying it to the NSS storage, which prevents its further distribution over the network.
|
The Novell Storage Services volume monitoring feature is available only on Novell Open Enterprise Server SP2 based on SUSE Linux Enterprise Server 10 SP3 or later. The component providing this feature is not shipped for other supported OSes. |
5.Reliable isolation of infected or suspicious objects detected within the server file system in a special storage known as quarantine to prevent any harm to the system. When quarantined, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on user demand.
Threats detected by the Dr.Web MailD component in email messages are not quarantined on the server; they are sent to a user-recipient in a modified email message. At that, they are packed in a password-protected archive. The user can access the contents of the archive only by providing the password received from the administrator of Dr.Web for UNIX Mail Servers.
6.Automatic update of the scanning engine, virus databases, databases of web resource categories and a database of rules for email spam filtering to maintain the high level of protection against malware.
7.Collection of statistics on scans and threat events. Logging detected threats. Sending of notifications of detected threats via SNMP to external monitoring systems and a centralized protection server if Dr.Web for UNIX Mail Servers operates in centralized protection mode, as well as to the Dr.Web Cloud service.
8.Operation in centralized protection mode (when connected to a centralized protection server such as Dr.Web Enterprise Server or as a part of the Dr.Web AV-Desk service) to implement single security policies adopted within some network which comprises this server. It can be a corporate network, a private network (VPN) or a network of a service provider (for example, an internet service provider).