1.Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers, and so on). To find more information on computer threat types, refer to Appendix A. Types of Computer Threats.
Threat detection methods:
•signature analysis, which allows detection of known threats;
•heuristic analysis, which allows detection of threats that are not present in virus databases;
•cloud-based threat detection technologies, using the Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.
|
The heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory. For details on methods used to neutralize threats, refer to Appendix B. Neutralizing Computer Threats. |
When scanning the file system on the user's request, it is possible of either full scan of all the file system objects available to user, or custom scan of the specified objects only (separate directories or files that meet the specified criteria). In addition, it is possible to perform separate checks of boot records of volumes and executable files which support currently active processes in the system. In the latter case, when a threat is detected, it is not only neutralized the malicious executable file, but all processes running from it are forcibly terminated. In systems that implement a mandatory model of access to files with a set of different access levels, the scanning of files that are not available at the current access level can be done in special autonomous copy mode.
All objects containing threats detected in the file system are registered in the permanently stored threats registry, except those threats that were detected in the autonomous copy mode.
The Dr.Web Ctl command-line tool included in Dr.Web for UNIX File Servers, allows to scan for threats file systems of remote network hosts, that provide remote terminal access via SSH or Telnet.
|
The remote scanning can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, and so on), or via running an anti-virus software installed on them. |
2.Monitoring access to files:
•file system in the OS. Monitors file events and attempts to run executables. This feature allows to detect and neutralize malware at an attempt to infect the server file system. Besides the standard monitoring mode, you can enable the enhanced (Paranoid) mode in which the monitor blocks access to files until their scanning is finished (it allows you to prevent access to an infected file but the scanning result is available after an app gets access to the file). The enhanced mode increases the security level but slows down the access to the file that are not scanned yet.
|
Volume monitoring function is available only for operating systems of GNU/Linux family. For other supported operating systems the component which provides this feature is not in the package. |
•Samba shared directories. Read and write operations of local and remote users of the file server are monitored. This feature allows to detect and neutralize malware at an attempt to save a malicious program to the file storage, which prevents its distribution over the network;
•NSS (Novell Storage Services) volumes. Monitors write operations of the NSS file storage users. This feature allows to detect and neutralize malware at an attempt to save the malicious program to NSS storage, which prevents its distribution over the network.
|
Note that the Novell Storage Services volume monitoring function is available only for Novell Open Enterprise Server SP2 SUSE Linux Enterprise Server operating system 10 SP3 or later. For other supported operating systems the component which provides this feature is not in the package. |
4.Reliable isolation of infected or suspicious objects. Such objects detected in the server's file system are moved to a special storage, quarantine, to prevent any harm to the system. When moved to quarantine, objects are renamed according to special rules and, if necessary, they can be restored to their original location only on demand.
5.Automatic update of the scan engine, virus databases for the maintenance of the high level of protection against malware.
6.Collection of statistics on virus events; logging threat detection events. Sending of notifications on detected threats over SNMP to external monitoring systems and to the centralized protection server if Dr.Web for UNIX File Servers operates in the centralized protection mode, as well as to Dr.Web Cloud.
7.Operation in the centralized protection mode (when connected to the centralized protection server, such as Dr.Web Enterprise Server or as a part of Dr.Web AV-Desk service). This mode allows implementation of a unified security policy on computers within the protected network. It can be a corporate network, a private network (VPN), or a network of a service provider (for example, an internet service provider).