Dr.Web for UNIX Mail Servers Main Functions

1.Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers, and so on). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.

Threat detection methods:

signature analysis, which allows detection of known threats;

heuristic analysis, which allows detection of threats that are not present in virus databases;

cloud-based threat detection technologies, using the Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.

The heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats.

When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or custom scan of the specified objects only (separate directories or files that meet the specified criteria). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.

All objects containing threats detected in the file system are registered in the permanently stored threats registry, except those threats that were detected in the autonomous copy mode.

The Dr.Web Ctl command-line tool included in Dr.Web for UNIX Mail Servers, allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH or Telnet.

The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, and so on), or via running an anti-virus software installed on them.

2.Email message scanning. Dr.Web for UNIX Mail Servers supports the various modes of email message scanning.

The mode of an external filter connected to the mail server (MTA). Dr.Web for UNIX Mail Servers can be integrated into any mail server that supports interfaces for connection of external filters Milter, Spamd and Rspamd. In the filter mode, upon an initiative of MTA, all emails that arrive to the mail server are sent via the conjugation interface to Dr.Web for UNIX Mail Servers and scanned. Depending on the capability of the interface, Dr.Web for UNIX Mail Servers, that operates as a filter, is able to:

inform server of results of an email scanning. In this case mail server must independently process an email message according to received results (reject the delivery, add headers or modify email contents, if scanning result contains information about the presence of threats);

send the command to receive or to reject the message to the mail server;

modify an email message by adding the headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as an archive protected with a password. The recipient of the email message can request the password for unpacking the protected archive from the mail server administrator. If required, though not recommended, the administrator can configure the usage of the archives not protected with a password.

The transmission of commands to the mail server or return of a modified message are supported only by the Milter interface. The Spamd and Rspamd do not allow Dr.Web for UNIX Mail Servers to send commands to the server and return the modified email message. One of two verdicts will be returned to the server: «the message is considered as spam» or «the message is not considered as spam». All actions on processing of such message (for example, adding or modifying mail headers, rejecting the message, its transimission to the recipient, and so on) should be defined in MTA side settings.

To return to the MTA the reason why the email message is rejected, and, possibly, the actions that MTA should apply to the email message, the text variables are used (report for Spamd and action for Rspamd) which are returned by LUA messages processing procedure that can be processed in the MTA (for example, ACL for Exim).

SMTP proxy mode, which scans bypassing SMTP traffic which furtherly transferred to one or several MTA/MDA. In fact, this mode is similar to the previous one: Dr.Web for UNIX Mail Servers is connected (using Milter, Spamd or Rspamd) to MTA (for example, Postfix), which is customized to transmit email messages to other MTAs (for example, performing messages routing, addressed to various domains, and so on).

The transparent proxy mode for mail protocols. In this mode, Dr.Web for UNIX Mail Servers (using SpIDer Gate component) implements the proxy server functions, embedded into the channel for sharing data between MTA and/or MUA transparently for the sharing parties and the function of the scanner of transmitted messages. The product can be transparently embedded into the main mail protocols: SMTP, POP3, IMAP. In this mode, and also depending on possibilities of the protocol it is embedded into, Dr.Web for UNIX Mail Servers can transmit the email message to the recipient (it cannot be modified or after modifications with added headers or repacked email message) or block its delivery, including the return of the correct protocol error to the sender or the recipient.

The transparent proxy mode is available only for GNU/Linux.


Since Dr.Web for UNIX Mail Servers is not a full fledged email server, for operation in the proxy mode, a mail server (MTA) is required to be installed on the same host where Dr.Web for UNIX Mail Servers operates.

Dr.Web for UNIX Mail Servers, depending on the distribution and settings, it executes the scanning of email messages:

detection of malicious attachments that contain threats;

search for links to malicious websites or websites from the unwanted categories;

detection of signs of phishing and spam (using the DKIM technology, an automatically updated rule database of spam filtering, and the mechanism of checking the presence of sender’s address in the DNSxL black lists);

compliance with the security criteria established by the administrator of the mail system independently (scanning of a body and headers of messages using regular expressions).

To scan links to unwanted websites, that can be present in email messages, the automatically updated databases of web resource categories is used. It is distributed along with Dr.Web for UNIX Mail Servers. Also, Dr.Web Cloud is requested to check the availability of information if the web source mentioned in the email message has been marked as malicious by other Dr.Web products.

In Dr.Web for UNIX Mail Servers, starting from version 11.0, list of possible actions that can be applied to an email message is significantly reduced.

Starting from version 11.0, Dr.Web for UNIX Mail Servers executes only the following actions with email messages:

email message check for the compliance with the criteria established by the administrator and scanning for signs of spam (also via check of the sender’s domain in DNSxL black lists when such configuration is present),

search for links to malicious websites or websites from the unwanted categories;

detection of malicious attachments.

If the protocol that was used to receive an email message for scanning and the party that sent the email message (MTA/MDA or MUA) support modification of transferred for scanning email messages, then, besides standard actions “Pass” and “Reject”, Dr.Web for UNIX Mail Servers can repack email messages on the basis of one of predetermined repack templates (during repacking, all threats are moved to a protected archive attached to an email, and a notification on threats and/or unwanted contents is added to the email body). Besides, basic functionality that adds and modifies email headers is supported.

All other actions (for example, sending of notifications to an administrator, complete removal or renaming of attached files), if they are required, should be implemented via a protected mail server (MTA/MDA). They should be implemented via a protected mail server by connecting, if required, a set of specific filter plug-ins from third-party developers which are designed for the corresponding processing.


Depending on the delivery, the Dr.Web Anti-Spam component may not be included in Dr.Web for UNIX Mail Servers. In this case, message scanning for spam is not performed.

3.Reliable isolation of infected or suspicious objects. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.

The threats detected by the Dr.Web MailD component in email messages are moved to quarantine on the server, and are sent to the user-recipient in the modified email message. At that, they are packed in a password protected archive. The user can get an access to the contents of the archive only by indication the password received from the Dr.Web for UNIX Mail Servers administrator.

4.Automatic update of the scan engine, virus databases, databases of web resource categories and database of rules for email spam filtering for the maintenance of the high level of protection against malware.

5.Collection of statistics on virus events; logging threat detection events. Sending of notifications on detected threats over SNMP to external monitoring systems and to the centralized protection server if Dr.Web for UNIX Mail Servers operates in the centralized protection mode, as well as to Dr.Web Cloud.

6.Operation in the centralized protection mode (when connected to the centralized protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, an internet service provider).