Usage Examples

This section contains examples of using the Dr.Web Ctl utility (drweb-ctl):

Scanning Objects:

Simple Scanning Commands

Scanning of Files Selected by Criteria

Scanning of Additional Objects

Configuration Management

Threat Management

Example of Operation in Autonomous Instance Mode

Updating Offline

1.Scanning Objects

1.1. Simple Scanning Commands

1.Perform scanning of the /home directory with default parameters:

$ drweb-ctl scan /home

2.Scan paths listed in the daily_scan file (one path per line):

$ drweb-ctl scan --stdin < daily_scan

3.Perform scanning of the boot record on the sda drive:

$ drweb-ctl bootscan /dev/sda

4.Perform scanning of the running processes:

$ drweb-ctl procscan

1.2. Scanning of Files Selected by Criteria

Examples for file selection for scanning are listed below and use the result of the find utility operation. The obtained list of files is sent to the drweb-ctl scan command with the --stdin or --stdin0 parameter.

1.Scan listed files returned by the find utility and separated with the NUL (\0) character:

$ find -print0 | drweb-ctl scan --stdin0

2.Scan all files in all directories, starting from the root directory, on one partition of the file system:

$ find / -xdev -type f | drweb-ctl scan --stdin

3.Scan all files in all directories, starting from the root directory, with the exception of the /var/log/messages and /var/log/syslog files:

$ find / -type f ! -path /var/log/messages ! -path /var/log/syslog | drweb-ctl scan --stdin

4.Scan all files of the root user in all directories, starting from the root directory:

$ find / -type f -user root | drweb-ctl scan --stdin

5.Scan all files of the root and admin users in all directories, starting from the root directory:

$ find / -type f \( -user root -o -user admin \) | drweb-ctl scan --stdin

6.Scan all files of the users with UID within the range of 1000–1005 in all directories, starting from the root directory:

$ find / -type f -uid +999 -uid -1006 | drweb-ctl scan --stdin

7.Scan files in all directories, starting from the root directory, with a nesting level of no more than five:

$ find / -maxdepth 5 -type f | drweb-ctl scan --stdin

8.Scan files in a root directory while ignoring files in subdirectories:

$ find / -maxdepth 1 -type f | drweb-ctl scan --stdin

9.Scan files in all directories, starting from the root directory, while following all symbolic links:

$ find -L / -type f | drweb-ctl scan --stdin

10. Scan files in all directories, starting from the root directory, without following symbolic links:

$ find -P / -type f | drweb-ctl scan --stdin

11. Scan files created no later than May 1, 2017 in all directories, starting from the root directory:

$ find / -type f -newermt 2017-05-01 | drweb-ctl scan --stdin

1.3. Scanning of Additional Objects

1.Scanning of objects located in the /tmp directory on the remote host 192.168.0.1 by connecting to it via SSH as the user user with the password passw:

$ drweb-ctl remotescan 192.168.0.1 /tmp --Login user --Password passw

2.Scanning of a mail message saved in the file email.eml, using the default set of rules:

$ drweb-ctl checkmail email.eml

 

2.Configuration Management

1.Display information about the running components of Dr.Web Security Space:

$ drweb-ctl appinfo

2.Display all parameters of the [Root] section:

$ drweb-ctl cfshow Root

3.Set No as the value of the Start parameter in the [LinuxSpider] section of the active configuration (this will disable SpIDer Guard):

# drweb-ctl cfset LinuxSpider.Start No

Note that superuser privileges are required to perform this action. To elevate the privileges, you can use the sudo command, as shown in the following example:

$ sudo drweb-ctl cfset LinuxSpider.Start No

4.Force update of anti-virus components of Dr.Web Security Space:

$ drweb-ctl update

5.Restart the component configuration of Dr.Web Security Space:

# drweb-ctl reload

Note that superuser privileges are required to perform this action. To elevate the privileges, you can use the sudo command, as shown in the following example:

$ sudo drweb-ctl reload

6.Connect Dr.Web Security Space to a centralized protection server operating on host 192.168.0.1 if a server certificate is stored in the /home/user/cscert.pem file:

$ drweb-ctl esconnect 192.168.0.1 --Certificate /home/user/cscert.pem

7.Connect Dr.Web Security Space to the centralized protection server using the install.cfg configuration file:

$ drweb-ctl esconnect --cfg <path to install.cfg>

8.Disconnect Dr.Web Security Space from the centralized protection server:

# drweb-ctl esdisconnect

Note that superuser privileges are required to perform this action. To elevate the privileges, you can use the sudo command, as shown in the following example:

$ sudo drweb-ctl esdisconnect

9.View the last log records made by the drweb-update and drweb-configd components in the Dr.Web Security Space log:

# drweb-ctl log -c Update,ConfigD

3.Threat Management

1.Display information on detected threats:

$ drweb-ctl threats

2.Quarantine all files containing non-neutralized threats:

$ drweb-ctl threats --Quarantine All

3.Display the list of quarantined files:

$ drweb-ctl quarantine

4.Restore all quarantined files:

$ drweb-ctl quarantine --Restore All

 

5.Generate a password for a protected archive in the mail message with the identifier 12345, under condition that, for this email message, the HMAC method of password generation has been used, and up-to-date secret word is indicated in the settings of Dr.Web MailD:

# drweb-ctl idpass 12345

 

4.Example of Operation in Autonomous Instance Mode

Scan files and process quarantine in autonomous instance mode:

$ drweb-ctl scan /home/user -a --OnKnownVirus=QUARANTINE
$ drweb-ctl quarantine -a --Delete All

The first command will scan files in the /home/user directory in autonomous instance mode. Files containing known threats will be quarantined. The second command will process quarantine content (in autonomous instance mode as well) and remove all quarantined objects.

5.Updating Offline

In highly secure environments where internet connection is blocked or limited, it is possible to update virus bases offline. You need to download updates to a computer connected to the internet, copy them to a USB drive or local network share and then install them to another computer (which is not connected to the internet).

The update procedure must run in the command line.
 
To get updates

1.Run the following command on a computer connected to the internet:

$ drweb-ctl update --Path <path to the directory to store updates>

2.Copy the downloaded updates to a USB drive or a local network share.

3.Mount the local network share or removable drive on the computer to be updated. If the updates are from the USB drive, run the following commands:

# mkdir /mnt/usb
# mount <path to the device> /mnt/usb

4.Apply the updates with the following command:

$ drweb-ctl update --From /mnt/usb