Dr.Web for UNIX Mail Servers Main Functions
1. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers, and so on). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•signature analysis, which allows detection of known threats;
•heuristic analysis, which allows detection of threats that are not present in virus databases;
•cloud-based threat detection technologies, using the Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.
When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or custom scan of the specified objects only (separate directories or files that meet the specified criteria). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in the permanently stored threats registry, except those threats that were detected in the autonomous copy mode.
The Dr.Web Ctl command-line tool included in Dr.Web for UNIX Mail Servers, allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH or Telnet.
2.. Dr.Web for UNIX Mail Servers supports the various modes of email message scanning.
•The mode of an external filter connected to the mail server (MTA). Dr.Web for UNIX Mail Servers can be integrated into any mail server that supports interfaces for connection of external filters Milter, Spamd and Rspamd. In the filter mode, upon an initiative of MTA, all emails that arrive to the mail server are sent via the conjugation interface to Dr.Web for UNIX Mail Servers and scanned. Depending on the capability of the interface, Dr.Web for UNIX Mail Servers, that operates as a filter, is able to:
▫inform server of results of an email scanning. In this case mail server must independently process an email message according to received results (reject the delivery, add headers or modify email contents, if scanning result contains information about the presence of threats);
▫send the command to receive or to reject the message to the mail server;
▫modify an email message by adding the headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as an archive protected with a password. The recipient of the email message can request the password for unpacking the protected archive from the mail server administrator. If required, though not recommended, the administrator can configure the usage of the archives not protected with a password.
•SMTP proxy mode, which scans bypassing SMTP traffic which furtherly transferred to one or several MTA/MDA. In fact, this mode is similar to the previous one: Dr.Web for UNIX Mail Servers is connected (using Milter, Spamd or Rspamd) to MTA (for example, Postfix), which is customized to transmit email messages to other MTAs (for example, performing messages routing, addressed to various domains, and so on).
•The transparent proxy mode for mail protocols. In this mode, Dr.Web for UNIX Mail Servers (using SpIDer Gate component) implements the proxy server functions, embedded into the channel for sharing data between MTA and/or MUA transparently for the sharing parties and the function of the scanner of transmitted messages. The product can be transparently embedded into the main mail protocols: SMTP, POP3, IMAP. In this mode, and also depending on possibilities of the protocol it is embedded into, Dr.Web for UNIX Mail Servers can transmit the email message to the recipient (it cannot be modified or after modifications with added headers or repacked email message) or block its delivery, including the return of the correct protocol error to the sender or the recipient.
Dr.Web for UNIX Mail Servers, depending on the distribution and settings, it executes the scanning of email messages:
•detection of malicious attachments that contain threats;
•search for links to malicious websites or websites from the unwanted categories;
•detection of signs of phishing and spam (using the DKIM technology, an automatically updated rule database of spam filtering, and the mechanism of checking the presence of sender’s address in the DNSxL black lists);
•compliance with the security criteria established by the administrator of the mail system independently (scanning of a body and headers of messages using regular expressions).
To scan links to unwanted websites, that can be present in email messages, the automatically updated databases of web resource categories is used. It is distributed along with Dr.Web for UNIX Mail Servers. Also, Dr.Web Cloud is requested to check the availability of information if the web source mentioned in the email message has been marked as malicious by other Dr.Web products.
3.. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.
The threats detected by the Dr.Web MailD component in email messages are moved to quarantine on the server, and are sent to the user-recipient in the modified email message. At that, they are packed in a password protected archive. The user can get an access to the contents of the archive only by indication the password received from the Dr.Web for UNIX Mail Servers administrator.
4. of the scan engine, virus databases, databases of web resource categories and database of rules for email spam filtering for the maintenance of the high level of protection against malware.
5. on virus events; logging threat detection events. Sending of notifications on detected threats over SNMP to external monitoring systems and to the centralized protection server if Dr.Web for UNIX Mail Servers operates in the centralized protection mode, as well as to Dr.Web Cloud.
6. (when connected to the centralized protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, an internet service provider).