Dr.Web for UNIX File Servers is a product consisting of a set of components, where each component has its own set of functions. The components are separated into the following categories according to their objectives:
•basic anti-virus components which form Dr.Web for UNIX File Servers core. In the absence of the components under this category, the product cannot scan files (and other data) for viruses and other threats;
•threat search components. These components are used to solve Dr.Web for UNIX File Servers basic tasks—detecting threats and potentially dangerous objects. In their operation the components falling under this category use basic anti-virus components;
•service components, which solve the auxiliary anti-virus protection issues (anti-virus databases updates, centralized protection servers connection, common Dr.Web for UNIX File Servers operation managing, and so on);
•interface components, which provide (the user or third party applications) with the interface for Dr.Web for UNIX File Servers.
Below is the list of Dr.Web for UNIX File Servers components.
1. Basic Anti-virus Components
Component |
Description |
|---|---|
Dr.Web Virus-Finding Engine |
An anti-virus engine. Implements algorithms to detect viruses and malicious programs (by using a signature and heuristic analysis). Managed by Dr.Web Scanning Engine Library file: drweb32.dll. Internal name displayed in the log file: CoreEngine |
A scan engine. This component loads Dr.Web Virus-Finding Engine and anti-virus databases. •Sends the contents of files and boot records to the anti-virus engine for scanning. •Manages a queue of the files to be scanned. •Cures threats to which this action is applicable. Is operated by Dr.Web ConfigD or can operate autonomously. Used by Dr.Web File Checker and Dr.Web Network Checker components. Also can be used by Dr.Web MeshD components (in some operation modes) and by external (in relation to Dr.Web for UNIX File Servers) applications specifically using Dr.Web Scanning Engine API Executable file: drweb-se. Internal name displayed in the log: ScanEngine |
|
Virus databases |
An automatically updated database of signatures of viruses and other threats, as well as of malicious software detection and neutralization algorithms. Used by Dr.Web Virus-Finding Engine and bundled with it |
A component for scanning file system objects and a quarantine manager. •Receives tasks from the threat scanning component on scanning files in the local (in relation to Dr.Web Scanning Engine) file system. •Surfs the file system directories according to the task, sends files for scanning to Dr.Web Scanning Engine and notifies client components about the scanning progress. •Deletes infected files, moves them to and restores them from quarantine, manages quarantine directories. •Builds the cache and keeps it up-to-date. The cache contains information about previously scanned files to reduce the periodicity of rescanning files. Used by components that scan file system objects, such as SpIDer Guard, SpIDer Guard for SMB and SpIDer Guard for NSS Executable file: drweb-filecheck. Internal name displayed in the log: FileCheck |
|
A network data scanning agent. •Used to send data to the scan engine. The data is sent by components of the product over the network (such as Dr.Web ClamD). •Allows Dr.Web for UNIX File Servers to manage distributed file scanning: to receive/transmit files for scanning from/to remote hosts. For that purpose, the remote hosts must feature an installed and running Dr.Web for UNIX operating systems. In the distributed scanning mode, it allows automatic distribution of scanning load among remote hosts by reducing load on hosts with a large number of scanning tasks (for example, on mail servers, file servers, internet gateways). If partner hosts that can receive data for scanning are present on the network, the components that use Dr.Web Network Checker for scanning may not use local Dr.Web Scanning Engine. Thus, Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and anti-virus databases may be absent. For security reasons, files are transmitted over the network using SSL Executable file: drweb-netcheck. Internal name displayed in the log: NetCheck |
|
A component that connects Dr.Web for UNIX File Servers to the local cloud, which allows Dr.Web for UNIX products to exchange updates, results of file scanning, transmit files to each other for scanning, as well as provide scan engine services directly. If the product includes this component, a local cloud to which this component is connected, as well as hosts providing scan engine services, Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and anti-virus databases may be absent Executable file: drweb-meshd. Internal name displayed in the log: MeshD |
Component |
Description |
||
|---|---|---|---|
Linux file system monitor. A resident mode component that tracks file operations (such as creating, opening, closing, and launching) in GNU/Linux file systems. It sends requests to Dr.Web File Checker to scan the contents of new and modified files, as well as executable files when opening programs. Depending on OS features, uses the fanotify mechanism (API provided by the OS) or a special kernel module developed by Doctor Web (LKM is supplied together with SpIDer Guard as a separate package). When the fanotify system mechanism is used, the monitor can operate in an enhanced mode, blocking access to not yet checked files (all types or executables only) until the scan is completed. By default, the enhanced monitoring mode is disabled.
Executable file: drweb-spider. Internal name displayed in the log: LinuxSpider |
|||
GNU/Linux kernel module for SpIDer Guard |
GNU/Linux kernel module (LKM) used by the SpIDer Guard to access file system events in those operating systems where the fanotify API is unavailable or has limited functionality. The component is distributed both as a binary (for a set of operation systems where fanotify is not implemented or is unavailable) and as source code allowing to build and install the operating system kernel module manually (for the instruction, refer to the Building kernel module for SpIDer Guard section).
Executable file: drweb.ko |
||
Samba shared directories monitor. Operates in a background mode and monitors file system operations (such as creating, opening, closing, as well as reading and writing) in directories selected as the Samba server file storages. Sends requests to Dr.Web File Checker for scanning the contents of new or modified files. For integration with the file server uses VFS SMB modules that operate on Samba server side Executable file: drweb-smbspider-daemon. Internal name displayed in the log: SMBSpider |
|||
NSS (Novell Storage Services) volumes monitor. Operates in a background mode and monitors file system operations (such as creating, opening and closing a file, as well as write operations) on NSS volumes mounted at the indicated mount point of the file system. Sends requests to Dr.Web File Checker for scanning the contents of new or modified files.
Executable file: drweb-nss. Internal name displayed in the log: NSS |
Component |
Description |
|---|---|
A component for interaction with Dr.Web Cloud. Sends URLs visited by the user and information about the scanned files to the Dr.Web Cloud service to scan them for threats not yet covered by virus databases Executable file: drweb-cloudd. Internal name displayed in the log: CloudD |
|
Dr.Web for UNIX File Servers configuration daemon. •Starts and stops other product components depending on the settings. •Restarts components if a failure in their operation occurs. Starts components at the request of other components. Informs active components when another component starts or shuts down. •Stores information about present license keys and settings and provides this information to all components. Receives adjusted settings and license keys from the components of Dr.Web for UNIX File Servers expected to provide such information. Notifies other components on changes in license keys and settings Executable file: drweb-configd. Internal name displayed in the log file: ConfigD |
|
The centralized protection agent. Ensures product operation in the centralized protection and mobile modes. •Provides connection between the product and the centralized protection server, receives a license key file, updates of the virus databases and anti-virus engine. •Sends to the server information on the components included in Dr.Web for UNIX File Servers and their status as well as statistics of virus events Executable file: drweb-esagent. Internal name displayed in the log: ESAgent |
|
A component for storing Dr.Web for UNIX File Servers component operation events. Receives and stores events of the product components (such as abnormal termination, threat detection, and so on) Executable file: drweb-statd. Internal name displayed in the log file: StatD |
|
An updating component. Downloads from Doctor Web servers updates of the virus databases, the anti-virus engine. The updates can be downloaded automatically, according to the schedule, and on user demand (via Dr.Web Ctl or management web interface) Executable file: drweb-update. Internal name displayed in the log: Update |
Component |
Description |
|---|---|
Dr.Web for UNIX File Servers management web server. Provides a custom HTTP API for managing Dr.Web for UNIX File Servers components. The specified API is used by the management web interface (must be installed separately). For security reasons, the component uses HTTPS to connect to the web interface. Uses Dr.Web Network Checker to transmit data for scanning to Dr.Web Scanning Engine Executable file: drweb-httpd. Internal name displayed in the log: HTTPD |
|
Management Web Interface. The interface can be accessed using any browser on a local or remote host. The web interface enables the product not to use third-party web servers (such as Apache HTTP Server) or remote administration tools, such as Webmin. The component functionality is provided by Dr.Web HTTPD component |
|
A tool for managing Dr.Web for UNIX File Servers from the command line. Allows the user to start file scanning, view and manage quarantined objects, start a virus database update procedure, connect Dr.Web for UNIX File Servers to or disconnect it from the centralized protection server, view and configure product parameters Executable file: drweb-ctl. Internal name displayed in the log: Ctl |
|
An SNMP agent. Designed for integration of Dr.Web for UNIX File Servers with external monitoring systems over SNMP. Such integration allows you to monitor the state of the product components and to collect statistics on threat detection and neutralization. Supports SNMP v2c and v3 Executable file: drweb-snmpd. Internal name displayed in the log: SNMPD |
|
A component emulating interface of the clamd, anti-virus daemon (the component of ClamAV® anti-virus). Allows all applications supporting ClamAV® to use Dr.Web for UNIX File Servers transparently for anti-virus scanning. Depending on the mode, uses Dr.Web File Checker or Dr.Web Network Checker to transmit data for scanning to Dr.Web Scanning Engine Executable file: drweb-clamd. Internal name displayed in the log: ClamD |
The figure below shows the structure of Dr.Web for UNIX File Servers and its operation with external applications.
Figure 1. The structure of Dr.Web for UNIX File Servers
In this scheme, the following notations are used:
|
—Dr.Web for UNIX File Servers as a whole and external Dr.Web applications not included in the solution |
||
|
—programs external to Dr.Web for UNIX File Servers and products that integrate with it |
||
|
—the service components that perform particular anti-virus protection tasks (anti-virus databases updates, centralized protection servers connection, overall coordination of operations, and so on) |
||
|
—components that provide (the user or third party applications) with the interface to manage Dr.Web for UNIX File Servers |
||
|
—components used for anti-virus scanning |
||
|
—basic anti-virus components that form the Dr.Web for UNIX File Servers core. Used by the components that perform data and files scans |
Components marked with a dashed line can be missing depending on the Dr.Web for UNIX File Servers distribution and usage.
For details on Dr.Web for UNIX File Servers components, refer to Dr.Web for UNIX File Servers Components.