Call Format

1. Command Format for Calling the Command-Line Utility to Manage the Product

The call format for the command-line tool which manages Dr.Web for Linux operation is as follows:

$ drweb-ctl [<general options> | <command> [<argument>] [<command options>]]

Where:

•<general options>—options that can be applied on startup when the command is not specified or can be applied for any command. Not mandatory for startup.

•<command>—command to be performed by Dr.Web for Linux (for example, start scanning, output the list of quarantined objects, and other commands).

•<argument>—command argument. Depends on the specified command. The argument can be omitted for certain commands.

•<command options>—options for managing the operation of the specified command. Depends on the command. The options can be omitted for some commands.

2. General Options

The following general options are available:

Option

Description

-h, --help

Show general help information and exit. To display the help information on any command, use the following call:

$ drweb-ctl <command> -h

-v, --version

Show the module version and exit

-d, --debug

Show debug information when running the specified command. It cannot be run if a command is not specified. Use the following call:

$ drweb-ctl <command> -d

3. Commands

Commands to manage Dr.Web for Linux can be separated into the following groups:

•Anti-virus scanning commands.

•Commands to manage updates and operation in centralized protection mode.

•Configuration management commands.

•Commands to manage threats and quarantine.

•Information commands.

To get documentation on this component from the command line, run the following command: man 1 drweb-ctl.

3.1. Anti-virus Scanning Commands

The following commands to manage anti-virus scanning are available:

Command

Description

scan <path>

Purpose: Scan the specified file or directory with Scanner.

Arguments:

<path>—path (can be relative) to the file or directory to be scanned.

This argument may be omitted if you use the --stdin or the --stdin0 option. To specify several files that satisfy a certain criterion, use the find utility (see Usage Examples) and the --stdin or --stdin0 option.

Options:

-a [--Autonomous] runs an autonomous copy of scan engine and Scanner to perform the specified scan, terminating them after it is over. Note that threats detected during autonomous scanning will not be added to the common list of threats detected displayed by threats command (see below), and information on them will not be sent to the centralized protection server, if Dr.Web for Linux is controlled by it.

--stdin—get the list of paths to be scanned from the standard input stream (stdin). Paths in the list must be separated with the new line character (\n).

--stdin0—get the list of paths to scan from the standard input stream (stdin). Paths in the list must be separated by the zero character NUL (\0).

When using --stdin and --stdin0 options, the paths on the list should not contain patterns or regular expressions for a search. We recomment that you use the --stdin and --stdin0 options to process a paths list generated by an external utility, for example, find in the scan command (see Usage Examples).

--Exclude <path>—an excluded path. The path can be relative and contain a file mask (with the following wildcards: ? and *, as well as character classes '[ ]', '[! ]', and '[^ ]').

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

Default value: BRIEF

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects are skipped.

Default value: 8

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (.pst, .tbb, and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

--MaxSizeToExctract <size>—specify the maximum size for files enclosed in archives. Files which size is greater than the value of this parameter will be skipped when scanning. The size is specified as a number with a suffix (b, kb, mb, gb). If no suffix is specified, the value is treated as a size in bytes.

Default value: none

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

Default value: 3000

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnSuspicious <action>—an action to perform upon detection of a suspicious object by the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report

If the threat is detected in a file inside a container (an archive, an email message, and so on), the container is quarantined (Quarantine) and not deleted (Delete).

--FollowSymlinks—resolve symlinks automatically

bootscan
<device> | ALL

Purpose: Start scanning boot records on the specified disks via the Scanner. Both MBR and VBR records are scanned.

Arguments:

<disk drive>—path to the block file of a disk device whose boot record you want to scan. You can specify several disk devices separated by spaces. The argument is mandatory. If ALL is specified instead of the device file, all boot records on all available disk devices will be checked.

Options:

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

Default value: BRIEF

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

--ShellTrace—output additional debug information when scanning a boot record.

procscan

Purpose: Initiates scanning of executables containing the code of currently running system processes with the Scanner. If a malicious executable file is detected, it is neutralized, and all processes run by this file are forced to terminate.

Arguments: None.

Options:

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

Default value: BRIEF

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects are skipped.

Default value: 8

--OnKnownVirus <action>—an action to perform upon detection of a known threat by using signature-based analysis.

Possible actions: Report, Cure, Quarantine, Delete.

Default value: Report

--OnIncurable <action>—an action to perform upon detection an incurable threat or when the curing action (Cure) has failed.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnSuspicious <action>—an action to perform upon detection of a suspicious object by the heuristic analysis.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnAdware <action>—an action to perform upon detection of adware.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnDialers <action>—an action to perform upon detection of a dialer.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnJokes <action>—an action to perform upon detection of joke software.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnRiskware <action>—an action to perform upon detection of riskware.

Possible actions: Report, Quarantine, Delete.

Default value: Report

--OnHacktools <action>—an action to perform upon detection of a hacktool.

Possible actions: Report, Quarantine, Delete.

Default value: Report

If a threat is detected in an executable file, Dr.Web for Linux terminates all processes started by the file.

remotescan
<host> <path>

Purpose: Start scanning the specified file or directory at the specified remote host having connected to it using SSH or Telnet.

Note that threats detected by remote scanning are not neutralized and also are not added to the list of detected threats displayed by the threats command (see below).

This function can be used only for detection of malicious and suspicious files on a remote host. To eliminate detected threats on the remote host, it is necessary to use administration tools provided directly by this host. For example, for routers, set-top boxes, and other “smart” devices, a mechanism for a firmware update can be used; for computing machines, it can be done via a connection to them (as an option, using a remote terminal mode) and respective operations in their file system (removal or moving of files, and so on), or via running an anti-virus software installed on them.

Arguments:

<host>—IP address or a domain name of the remote host.

<path>—path to the file or directory to be scanned (the path must be absolute).

Options:

-m [--Method] <SSH|Telnet>—remote host connection method (protocol).

If the method is not specified, SSH is used.

-l [--Login] <name>—login (user name) used for authorization on the remote host via the selected protocol.

If a user name is not specified, there will be an attempt to connect to a remote host on behalf of the user who has launched the command.

-i [--Identity] <path to file>—private key file used for authentication of the specified user via the selected protocol.

-p [--Port] <number>—number of the port on the remote host for connecting via the selected protocol.

Default value: default port for the selected protocol (22 for SSH, 23 for Telnet).

--ForceInteractive—use the SSH interactive session (only for SSH connections).

Optional parameter.

--TransferListenAddress <address>—address for receiving files transferred from the remote device for scanning.

Optional feature. If not indicated, an arbitrary address is used.

--TransferListenPort <port>—port for receiving files transferred from the remote device for scanning.

Optional parameter. If not indicated, an arbitrary port is used.

--TransferExternalAddress <address>—address for the remote device to send files for scanning.

Optional parameter. If not indicated, the --TransferListenAddress option value or the outgoing address of the already established session is used.

--TransferExternalPort <port>—port to transfer files for scanning, specified for the remote device.

Optional feature. If not indicated, an automatically determined port is used.

--Password <password>—password used for authentication of a user via the selected protocol.

Please note that the password is transferred as a plain text.

--Exclude <path>—path to be excluded from scanning. The path can contain a file mask with the following allowed symbols: ? and *, as well as the symbol classes '[ ]', '[! ]', '[^ ]'. The path (including the path with the file mask) must be absolute.

Optional parameter; can be set more than once.

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

Default value: BRIEF

--ScanTimeout <number>—specify time-out to scan one file, in ms.

If the value is set to 0, scanning time is not limited.

Default value: 0

--PackerMaxLevel <number>—set the maximum nesting level when scanning packed objects.

If the value is set to 0, nested objects are skipped.

Default value: 8

--ArchiveMaxLevel <number>—set the maximum nesting level when scanning archives (.zip, .rar, and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--MailMaxLevel <number>—set the maximum nesting level when scanning email messages (.pst, .tbb, and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--ContainerMaxLevel <number>—set the maximum nesting level when scanning other containers (HTML and so on).

If the value is set to 0, nested objects are skipped.

Default value: 8

--MaxCompressionRatio <ratio>—set the maximum compression ratio of scanned objects.

The ratio must be no less than 2.

Default value: none

--Cure <Yes|No>—enable or disable attempts to cure detected threats.

If the value is set to No, only a notification about a detected threat is displayed.

Default value: No

Default value: 3000

--HeuristicAnalysis <On|Off>—enable or disable the heuristic analysis during the scanning.

Default value: On

checkmail
<path to file>

Purpose: Performs scan of an email message saved to a file for threats, signs of spam, malicious links, or non-compliance with rules of mail processing (using the emails processing component). The console output thread (stdout) will display the message scanning results and the action applied to this message while scanning by the email processing component.

Arguments:

<path to file>—path to the file of the email message to be scanned. Mandatory argument.

Options:

--Report <type>—specify a type of the scan report.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

Default value: BRIEF

-r [--Rules] <list of rules>—indicate a list of rules to follow during scanning of an email message.

If the rules are not indicated, the following set of rules used by default will be applied:

threat_category in (KnownVirus, VirusModification, UnknownVirus, Adware, Dialer) : REJECT
total_spam_score gt 0.80 : REJECT
url_category in (InfectionSource, NotRecommended, CopyrightNotice) : REJECT

If Dr.Web Anti-Spam is not installed, the scanning rule for spam (the second string) will be automatically excluded from the set.

-c [--Connect] <IP>:<port>—indicate a network socket to be used as a connection address of a sender of the scanned message.

-e [--Helo] <name>—indicate an identifier of the client that sent the message (an IP address or FQDN host, as for the HELO/EHLO SMTP command).

-f [--From] <email>—email address of a sender (as for the MAIL FROM SMTP command).

If the address is not indicated, the respective address from an email will be used.

-t [--Rcpt] <email>—email address of a recipient (as for the RCPT TO SMTP command).

If the address is not indicated, the respective address from an email will be used.

If email processing component is not installed, calling this command will return an error.

Except above-mentioned commands, the drweb-ctl tool supports additional scanning parameters. To read their descriptions, refer to the man 1 drweb-ctl documentation.

3.2. Commands to manage updates and operation in the centralized protection mode

The following commands for managing updates are available, as well as commands for operation in the centralized protection mode:

Command

Description

update

Purpose: Initiates updates of anti-virus components (virus databases, the scan engine, etc., depending on the distribution) from the Doctor Web update servers or the local cloud, terminates the updating process if already running, or performs rollback of the latest update to previous versions of the updated files.

The command has no effect if Dr.Web for Linux is connected to the centralized protection server.

Arguments: None.

Options:

--From <path>—apply updates offline from a specified directory.

--Path <path>—store files for updating offline in a specified directory; if this directory already has files, then they will be updated.

--Rollback—rollback the last update, and restore the previous version of files that have been updated during the last update.

--Stop—terminate the running updating process.

esconnect
<server>[:<port>]

Purpose: Connect Dr.Web for Linux to the specified centralized protection server (for example, Dr.Web Enterprise Server). For details on the operation modes, refer to the Operation Modes.

Arguments:

•<server>—IP address or network name of the host on which the centralized protection server is operating. This argument is mandatory.

•<port>—port number used by the centralized protection server. The argument is optional and should be specified only if the centralized protection server uses a non-standard port.

Options:

--Certificate <path>—a file path to a certificate of the centralized protection server, the connection to which will be established.

--Login <ID>—login (workstation identifier) used for connection to the centralized protection server.

--Password <password>—password for connection to the centralized protection server.

--Group <ID>—identifier of the group to which the workstation is added on connection.

--Rate <ID>—identifier of the tariff group applied to your workstation when it is included in one of the centralized protection server groups (can be specified only together with the --Group option).

--Compress <On|Off>—enable (On) or disable (Off) forced compression of transmitted data. If not specified, usage of compression is determined by the server.

--Encrypt <On|Off>—enable (On) or disable (Off) forced encryption of transmitted data. If not specified, usage of encryption is determined by the server.

--Newbie—connect as a “newbie” (get a new account on the server).

This command requires drweb-ctl to be started with superuser (root) privileges. If necessary, use the su or sudo commands.

esdisconnect

Purpose: Disconnect Dr.Web for Linux from the centralized protection server and switch it to a standalone mode.

The command has no effect if Dr.Web for Linux already operates in the standalone mode.

Arguments: None.

Options: None.

This command requires drweb-ctl to be started with superuser (root) privileges. If necessary, use the su or sudo commands.

3.3. Configuration Management Commands

The following commands to manage configuration are available:

Command

Description

cfset
<section>.<parameter> <value>

Purpose: Change the active value of the specified parameter in the current configuration of Dr.Web for Linux.

Arguments:

•<section>—name of the configuration file section which provides the parameter. This argument is mandatory.

•<parameter>—name of the parameter to be changed. This argument is mandatory.

•<value>—new parameter value. This argument is mandatory.

To specify a parameter value, the format <section>.<parameter> <value> is always used, the assignment character = is not used.

Note that if you want to indicate several parameter values, you need to repeatedly call the cfset command, as many times as the number of parameter values you want to add. To add a new value to the list of parameter values, you need to use the -a option (see below). You cannot specify the string <parameter> <value 1>, <value 2> as an argument, because the string "<value 1>, <value 2>" will be considered one value of the <parameter>.

For description of the configuration file, refer to the documentation page displayed by man 5 drweb.ini.

Options:

-a [--Add]—do not substitute the current parameter value but add the specified value to the list (allowed only for parameters that can have several values, specified as a list). You should also use this option to when adding a new parameter group identified by a tag.

-e [--Erase]—do not substitute the current parameter value but remove the specified value from the list (allowed only for parameters that can have several values, specified as a list).

-r [--Reset]—reset the parameter value to the default. At that, <value> is not required in the command and is ignored if specified.

Options are not mandatory. If they are not specified, then the current parameter value (the entire list of values, if the parameter currently holds several values) are substituted with the specified value.

This command requires drweb-ctl to be started with superuser privileges. If necessary, use the su or sudo commands.

cfshow
[<section>[.<parameter>]]

Purpose: Display parameters of the current configuration of Dr.Web for Linux.

The command to display parameters is specified as follows: <section>.<parameter> = <value>. Sections and parameters of non-installed components are not displayed by default.

Arguments:

•<section>—name of the configuration file section parameters of which are to be displayed. The argument is optional. If not specified, parameters of all configuration file sections are displayed.

•<parameter>—name of the displayed parameter. Optional argument. If not specified, all parameters of the section are displayed. Otherwise, only this parameter is displayed. If a parameter is specified without the section name, all parameters with this name from all of the configuration file sections are displayed.

Options:

--Uncut—display all configuration parameters (not only those used with the currently installed set of components). If the option is not specified, only parameters used for configuration of the installed components are displayed.

--Changed—display only those parameters whose values differ from the default ones.

--Ini—display parameter values in the .ini file format: at first, the section name is specified in square brackets, then the section parameters listed as <parameter> = <value> pairs (one pair per line).

--Value—output only the value of the specified parameter. The <parameter> argument is mandatory in this case.

reload

Purpose: Restart Dr.Web for Linux service components. During the procedure, logs are reopened, the configuration file is reread, and the attempt to restart abnormally terminated components is performed.

Arguments: None.

Options: None.

3.4. Commands to Manage Detected Threats and Quarantine

The following commands for managing threats and quarantine are available:

Command

Description

threats
[<action> <object>]

Purpose: Apply the specified action to detected threats, selected by their identifiers. Type of the action is specified by the command option.

If the action is not specified, displays information on detected but not neutralized threats. The information on threats is displayed according the format, specified using the optional --Format option. If the --Format option is not specified, for each threat the following information is displayed:

•an identifier assigned to the threat (its ordinal number);

•the full path to the infected file;

•information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

•information about the file: its size, owner, time of last modification;

•history of operations applied to an infected file: detection, applied actions, etc.

Arguments: None.

Options:

--Format "<format string>"—output information on threats in the specified format. The description of format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Directory <list of directories>—output only threats detected in files in directories from <list of directories>.

If this option is specified together with any option provided below, it is ignored.

--Cure <threat list>—attempt to cure the listed threats (threat identifiers are comma-separated).

--Quarantine <threat list> moves the listed threats to quarantine (threat identifiers are comma-separated).

--Delete <threat list>—delete the listed threats (threat identifiers are comma-separated).

--Ignore <threat list>—ignore the listed threats (threat identifiers are comma-separated).

If you need to apply the action to all detected threats, specify All> instead of <threat list. For example, the command:

$ drweb-ctl threats --Quarantine All

quarantines all detected malicious objects.

quarantine
[<action> <object>]

Purpose: Apply an action to the specified object in quarantine.

If an action is not specified, information on quarantined objects and their identifiers together with brief information on original files moved to quarantine is displayed. Information on isolated objects is displayed according a format, specified with optional --Format argument. If the --Format argument is not specified, for every isolated (quarantined) object the following information is displayed:

•Identifier assigned to the quarantined object.

•The original path to the file, before it was moved to quarantine.

•The date when the file was put in quarantine.

•Information about the file: size, the file owner’s user name, the time of last modification.

•Information about the threat (name of the threat, threat type according to the classification used by the Doctor Web company).

Arguments: None.

Options:

-a [--Autonomous] starts a separate instance of the Scanner to perform the specified quarantine command and terminate it upon completion.

This option can be applied along with any options mentioned below.

--Format "<format string>"—display information about quarantined objects in the specified format. The description of format string is below.

If this option is specified together with any action option, it is ignored.

-f [--Follow]—wait for new messages about new threats and display them once they are received (CTRL+C interrupts the waiting).

If this option is specified together with any action option, it is ignored.

--Discovery [<list of directories>,] searches for quarantine directories in the specified list of directories and add them to the consolidated quarantine upon detecting a threat. If the <list of directories> is not specified, search for quarantine directories in the common locations of the file system (volume mounting points and user home directories).

This option can be specified not only with the -a (--Autonomous) option (see above), but also with any options/actions listed below. Moreover, if the quarantine command is launched as an autonomous copy, that is, with the -a (--Autonomous) option but without the --Discovery option, then it is equivalent to the call of:

quarantine --Autonomous --Discovery

--Delete <object>—delete the specified quarantined object.

Note that objects are deleted from quarantine permanently—this action is irreversible.

--Cure <object>—try to cure the specified object in the quarantine.

Note that even if the object was successfully cured, it will remain in quarantine. To restore the cured object from quarantine, use the --Restore option.

--Restore <object>—restore the specified object from the quarantine to its original location.

Note that this command may require drweb-ctl to be started with root privileges. You can restore the file from quarantine even if it is infected.

--TargetPath <path>—restore an object from quarantine to the specified location: either as a file with the the specified name (if <path> is a path to a file), or to the specified directory (if <path> is a path to a directory). A path can be absolute or relative (referring to a current directory).

Note that this option can only be used in combination with the --Restore option.

As an <object>, specify the object identifier in quarantine. To apply the action to all quarantined objects, specify All> instead of <object. For example, the command:

$ drweb-ctl quarantine --Restore All --TargetPath test

restores all quarantined objects and puts them in test subdirectory, located in a current directory, from which drweb-ctl command was launched.

Note that for the --Restore All variant the additional option --TargetPath, if specified, must set a path to a directory, not a path to a file.

Formatted output for threats and quarantine commands

The output format is defined using the format string, specified as the optional argument --Format. The format string must be specified in quotes. The format string can include common symbols (displayed “as is”), as well as special markers, output as certain information. The following markers are available:

1.Common for threats and quarantine commands:

Marker	Description
%{n}	New line
%{t}	Tabulation
%{threat_name}	The name of detected threat (virus) according to Doctor Web classification
%{threat_type}	Threat type (“known virus”, and so on) according to Doctor Web classification
%{size}	Original file size
%{origin}	The full name of the original file with path
%{path}	Synonym of %{origin}
%{ctime}	Modification date/time of the original file in "%Y-%b-%d %H:%M:%S" format (for example, "2018-Jul-20 15:58:01")
%{timestamp}	Similar to %{ctime}, but in the UNIX timestamp format
%{owner}	The original file owner
%{rowner}	The remote owner of the original file (if not applicable or value is unknown it is replaced with ?)

2.Specific for threats command:

Marker	Description
%{hid}	The identifier of the threat record in the history of events associated with the threat
%{tid}	The threat identifier
%{htime}	Date/time of the event related to the threat
%{app}	The identifier of the Dr.Web for Linux component which processed a threat
%{event}	The latest event related to a threat: •FOUND—a threat was detected; •Cure—a threat was cured; •Quarantine—a file with a threat was quarantined; •Delete—a file with threat was deleted; •Ignore—a threat was ignored; •RECAPTURED—a threat was detected again by another component.
%{err}	Error message text (if no error has occurred, the text is replaced with an empty string)

3.Specific for quarantine command:

Marker	Description
%{qid}	The identifier of the quarantined object
%{qtime}	Date/time of moving the object to quarantine
%{curetime}	Date/time of curing attempt of the quarantined object (if not applicable or the value is unknown, it is replaced with ?)
%{cureres}	The result of the quarantined object curing attempt: •cured—a threat is cured; •not cured—a threat was not cured or no curing attempts were performed.

Example

$ drweb-ctl quarantine --Format "{%{n} %{origin}: %{threat_name} - %{qtime}%{n}}"

This command displays quarantine contents as records of the following type:

{
<path to file>: <threat name> - <date of moving to quarantine>
}
…

3.5. Information Commands

The following information commands are available:

Command

Description

appinfo

Purpose: Output information about active Dr.Web for Linux components.

The following information is displayed about each component that is currently running:

•Internally-used name.

•GNU/Linux process identifier (PID).

•State (running, stopped, and so on).

•Error code, if the work of the component has been terminated because of an error.

•Additional information (optional).

For the configuration daemon (drweb-configd) the following is displayed as additional information:

•The list of installed components—Installed.

•The list of components which must be launched by the configuration daemon—Should run.

Arguments: None.

Options:

-f [--Follow]—wait for new messages on module status change and display them once such a message is received (CTRL+C interrupts waiting).

baseinfo

Purpose: Display the information on the current version of the scan engine and status of virus databases.

The following information is displayed:

•Version of the scan engine.

•Date and time when the virus databases that are currently used were issued.

•The number of available virus records (in the virus databases).

•The time of the last successful update of the virus databases and of the scan engine.

•The time of the next scheduled automatic update.

Arguments: None.

Options:

-l [--List]—displays the full list of downloaded files of virus databases and number of virus records in each file.

certificate

Purpose: Display contents of the trusted Dr.Web certificate used by Dr.Web for Linux to scan protected connections if this option is enabled on the settings page. To save the certificate to the <cert_name>.pem file, you can use the command:

$ drweb-ctl certificate > <cert_name>.pem

Arguments: None.

Options: None.

events

Purpose: View Dr.Web for Linux events. Apart from that, this command allows you to manage the events (marking as read, deleting).

Arguments: None.

Options:

--Report <type>—specify an event report type.

Allowed values:

•BRIEF—a brief report;

•DEBUG—a detailed report;

•JSON—a serialized report in the JSON format.

-f [--Follow]—wait for new events and display them upon their occurrence (CTRL+C interrupts the standby).

-s [--Since] <date, time>—display the events that occurred before the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—show the events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-t [--Types] <type list>—display events of the specified types only (event types are comma-separated).

The following event types are available:

•Mail—indicates that a threat has been detected in an email;

•UnexpectedAppTermination—unexpected shutdown of a component.

To view all types of events, use All.

--ShowSeen—display already read events as well.

--Show <list of events>—display the listed events (event identifiers are comma-separated).

--Delete <list of events>—remove the listed events (event identifiers are comma-separated).

--MarkAsSeen <list of events>—marks the listed events as read (event identifiers are comma-separated).

If you want to mark as “read” or delete all events, specify All> instead of <events list. For example, the command:

$ drweb-ctl events --MarkAsSeen All

will mark all existing events as “read”.

report <type>

Purpose: Create a report on Dr.Web for Linux events in the HTML format (the page body is output to the specified file).

Arguments:

<type>—event type that required reporting (indicate one type). See possible values in the --Types option description of the events command above. A mandatory argument.

Options:

-o [--Output] <path to file>—save the report to the specified file. The option is mandatory.

-s [--Since] <date, time>—report events that occurred no earlier than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

-u [--Until] <date, time>—report events that occurred no later than the specified timestamp (<date, time> is specified as "YYYY-MM-DD hh:mm:ss").

--TemplateDir <path to directory>—a path to the directory that contains HTML report templates.

Options -s, -u, and --TemplateDir are not mandatory. For example, the command:

$ drweb-ctl report Mail -o report.html

generates a report on all existing email message threat detection events, based on the default template, and saves the result in the report.html file in the current directory.

license

Purpose: Display the information about the currently active license, or get a demo-version license, or get the key file for a license that has already been registered (for example, that has been registered on the company website).

If no options are specified, then the following information is output (if you are using a license for the standalone mode):

•a license number;

•date and time when the license expires.

If you are using a license provided to you by the centralized protection server (for the use of the product in the centralized protection mode or in the mobile mode), then the appropriate message will be displayed.

Arguments: None.

Options:

--GetDemo requests a demo key that is valid for one month. You receive the key if you meet the conditions for the provision of a demo period.

--GetRegistered <serial number>—get a license key file for the specified serial number, if the conditions for the provision of a new key file have not been breached (for example, breached by using the product not in centralized protection mode, when the license is managed by a centralized protection server).

--Proxy http://<username>:<password>@<server address>:<port>— get a license key via the proxy server (used only with one of the previously mentioned options — --GetDemo or --GetRegistered).

If the serial number is not the one provided for a demo period, you must first register this number at the company website.

For further information about licensing Dr.Web products, refer to the Licensing section.

To register a serial number or to get a demo period, an internet connection is required.

log

Purpose: Output the latest log records of Dr.Web for Linux to the console screen (the stdout stream), similar to the tail command.

Arguments: None.

Options:

-s [--Size] <number>—the number of the last log records that are to be displayed on a screen.

-c [--Components] <components list>—the list of component identifiers, which records are displayed. Identifiers are defined with comma separation. If the argument is not defined, all available records logged by all components are displayed.

Actual identifiers of the installed components (e.g. internal component names displayed in the log) can be displayed with the appinfo command (see above).

-f [--Follow]—wait for new messages in log and display them once they are received (interrupt waiting by pressing CTRL+C).