Dr.Web Security Space is a software suite consisting of a set of components, where each component has its own set of functions. The components are separated into the following categories according to their objectives:
•Basic anti-virus components that form the Dr.Web Security Space core. In the absence of the components under this category, the product cannot scan files (and other data) for viruses and other threats.
•Threat search components. These components are used to solve Dr.Web Security Space basic tasks—detecting threats and potentially dangerous objects. In their operation the components falling under this category use basic anti-virus components.
•Service components that complete auxiliary tasks to maintain anti-virus protection (updating anti-virus databases, connecting to centralized protection servers, managing general Dr.Web Security Space operation and so on).
•Interface components that provide (the user or third-party applications) with the Dr.Web Security Space management interface.
Below is the list of Dr.Web Security Space components.
1.Basic Anti-virus Components
Component
|
Description
|
Dr.Web Virus-Finding Engine
|
Anti-virus engine. Implements algorithms to detect viruses and other malware (by using signature and heuristic analyses).
Managed by the Dr.Web Scanning Engine component
Library file: drweb32.dll.
Logged internal name: CoreEngine
|
Dr.Web Scanning Engine
|
Scanning engine. This component loads Dr.Web Virus-Finding Engine and virus databases.
•Passes the contents of files and boot records to the anti-virus engine for scanning.
•Manages a queue of the files to be scanned.
•Cures threats to which this action is applicable.
Operates under the control of the Dr.Web ConfigD daemon or in standalone mode.
Used by the Dr.Web File Checker and Dr.Web Network Checker components. Also can be used by the Dr.Web MeshD component (in particular modes) and by external (in relation to Dr.Web Security Space) applications using directly the Dr.Web Scanning Engine API
Executable file: drweb-se.
Logged internal name: ScanEngine
|
Virus databases
|
Automatically updated database of signatures of viruses and other threats, as well as of malware detection and neutralization algorithms.
Used by Dr.Web Virus-Finding Engine and is supplied with it
|
Databases of web resource categories
|
Automatically updated database containing a list of categorized web resources and being used to identify unwanted websites.
Used by components that scan network activity of users and applications, such as SpIDer Gate, Dr.Web MailD
|
Dr.Web File Checker
|
Component for scanning file system objects and a quarantine manager.
•Receives tasks from the threat scanning component on scanning files in the local (relative to Dr.Web Scanning Engine) file system.
•Surfs the file system directories according to the task, sends files for scanning to Dr.Web Scanning Engine and notifies the client components about the scanning progress.
•Deletes infected files, puts them in and restores them from quarantine, manages quarantine directories.
•Builds the cache and keeps it up-to-date. The cache contains information about previously scanned files to reduce the frequency of rescanning files.
Used by components that scan file system objects, such as SpIDer Guard
Executable file: drweb-filecheck.
Logged internal name: FileCheck
|
Dr.Web Network Checker
|
Network data scanning agent.
•Used to send data to the scanning engine for actual scanning. The data is sent by components of the product via the network (such components as SpIDer Gate, Dr.Web MailD).
•Allows Dr.Web Security Space to manage distributed file scanning: to receive/transmit files for scanning from/to remote hosts. For that purpose, remote hosts must feature an installed and running Dr.Web for Unix operating systems. In the distributed scanning mode, it allows automatic distribution of scanning load among available hosts by reducing load on hosts with a large number of scanning tasks (for example, on mail servers and internet gateways).
If the network contains partner hosts that can receive data for scanning, the components that use Dr.Web Network Checker for scanning may operate without local Dr.Web Scanning Engine. Thus, local Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and virus databases may be absent.
For security reasons, files are transmitted over the network using SSL
Executable file: drweb-netcheck.
Logged internal name: NetCheck
|
Dr.Web URL Checker
|
Component designed to check URLs for belonging to unwanted or potentially dangerous categories
Executable file: drweb-urlcheck.
Logged internal name: UrlCheck
|
Dr.Web MeshD
|
Component that connects Dr.Web Security Space to a local cloud, which allows Dr.Web for Unix products to exchange updates, results of file scanning, transmit files to each other for scanning, as well as to provide scanning engine services directly.
If this component is included in the product and the local cloud to which it is connected contains hosts providing scanning engine services, local Dr.Web Scanning Engine, Dr.Web Virus-Finding Engine and virus databases may be absent
Executable file: drweb-meshd.
Logged internal name: MeshD
|
2.Threat Search Components
Component
|
Description
|
Scanner
|
Component that performs scanning of file system objects (files, directories and boot records) for threats on user demand or on schedule. The user can start scanning either in graphical mode or in command line mode.
|
SpIDer Guard
|
GNU/Linux File System Monitor.
Operates in background mode and controls file operations (such as creation, opening, closing, running) in GNU/Linux file systems. It sends the Dr.Web File Checker component requests to scan new or modified files as well as executables of programs when they are run.
Depending on OS features, uses the fanotify system mechanism or a custom kernel module developed by the Doctor Web company (LKM is supplied with SpIDer Guard as a separate package). When the fanotify system mechanism is used, the monitor can operate in enhanced or “paranoid” mode, blocking access to the files that have not been scanned yet until the scan is complete. By default, a regular monitoring mode is enabled.

|
The component is supplied only with the distributions designed for GNU/Linux OSes.
|
Executable file: drweb-spider.
Logged internal name: LinuxSpider
|
Linux loadable kernel module for SpIDer Guard
|
Linux loadable kernel module (LKM) used by SpIDer Guard to have access to file system events in some operating systems, where fanotify API is unavailable or implemented with limited functionality.
The component is distributed both as a binary (for a set of operation systems where fanotify is not implemented or is unavailable) and as source code allowing to build and install the operating system kernel module manually (for the instruction, refer to the Appendix F. Building Kernel Module for SpIDer Guard section).

|
The component is supplied only with the distributions designed for GNU/Linux OSes.
The loadable kernel module is not supported for architectures ARM64, E2K and IBM POWER (ppc64el).
|
Executable file: drweb.ko
|
SpIDer Gate
|
Component for monitoring network traffic and URLs.
It is designed to scan data downloaded from the network to the local host and passed from it to the external network for threats. The component also prevents connections with the network hosts added to the unwanted categories of web resources or black lists created by the user.
Uses the Dr.Web Network Checker component to scan received data.
Sends files downloaded from the internet (from the servers access to which is not restricted) to Scanner and blocks downloading them if they contain threats.
If allowed by the user, sends requested URLs to the Dr.Web Cloud service for scanning.
Executable file: drweb-gated.
Logged internal name: GateD
|
Dr.Web Firewall for Linux
|
Network connection monitor.
Used by SpIDer Gate and provides connection routing for applications that operate on a host to scan traffic of these connections.
Executable file: drweb-firewall.
Logged internal name: LinuxFirewall
|
Dr.Web MailD
|
Component for scanning email messages.
Analyzes email messages and prepares them for scanning for threats. It can operate in two modes.
1)Filter for mail servers (Sendmail, Postfix, and so on) connected via the Milter interface, Spamd or Rspamd interfaces.
2)Transparent proxy of email protocols (SMTP, POP3, and IMAP). SpIDer Gate is used in this mode.
Uses the Dr.Web Network Checker component to scan data extracted from email messages
Executable file: drweb-maild.
Logged internal name: MailD
|
Dr.Web Anti-Spam
|
Component for scanning email messages for signs of spam.
Used by the Dr.Web MailD component. Can be unavailable depending on distribution. If it is unavailable, scanning email messages for sings of spam is not performed by the Dr.Web MailD component.

|
The component is not supported for ARM64, E2K and IBM POWER (ppc64el) architectures.
|
Executable file: drweb-ase.
Logged internal name: Antispam
|
3.Service Components
Component
|
Description
|
Dr.Web CloudD
|
Dr.Web Cloud interaction component.
Sends URLs visited by the user and information about the scanned files to Dr.Web Cloud to scan them for threats not yet covered by virus databases
Executable file: drweb-cloudd.
Logged internal name: CloudD
|
Dr.Web ConfigD
|
Dr.Web Security Space configuration daemon.
•Starts and stops other product components depending on the settings.
•Restarts components if a failure in their operation occurs. Starts components at the request of other components. Informs active components when another component starts or shuts down.
•Stores information about current license keys and settings and provides this information to all components. Receives adjusted settings and license keys from the designated components of Dr.Web Security Space. Notifies other components of changes in license keys and settings
Executable file: drweb-configd.
Logged internal name: ConfigD
|
Dr.Web ES Agent
|
Centralized protection agent. Ensures product operation in the centralized protection and mobile modes.
•Provides connection between the product and the centralized protection server, receives a license key file, updates of the virus databases and anti-virus engine.
•Sends the information about the Dr.Web Security Space components, their status and statistics on threat events to the server
Executable file: drweb-esagent.
Logged internal name: ESAgent
|
Dr.Web Mail Quarantine
|
Email message scanning component which manages queues of messages to be scanned.
Used by the Dr.Web MailD component. Can be unavailable depending on distribution. If it is unavailable, the SMTP and BCC modes of Dr.Web MailD are not supported.
Executable file: drweb-mail-quarantine.
Logged internal name: MailQuarantine
|
Dr.Web StatD
|
Component for storing Dr.Web Security Space component operation events.
Receives and stores product component events, such as unexpected shutdown, threat detection and so on.
Executable file: drweb-statd.
Logged internal name: StatD
|
Dr.Web Updater
|
Updating component.
Downloads updates of virus databases and databases of web resource categories, the anti-virus engine and the library for scanning email messages for signs of spam from Doctor Web servers.
The updates can be downloaded automatically, on schedule, and on user demand (via the Dr.Web Ctl utility)
Executable file: drweb-update.
Logged internal name: Update
|
4.Interface Components
Component
|
Description
|
Graphical Management Interface
|
Component that provides a window graphical interface for management of Dr.Web Security Space. It allows the user to run scanning of file system objects in graphical mode, manage operation of the SpIDer Guard and SpIDer Gate monitors, view quarantined objects, start receiving updates and also configure Dr.Web Security Space operation.
|
Notification Agent
|
Component that operates in background mode. It displays pop-up notifications on events and the Dr.Web Security Space indicator in the notification area, runs scheduled scanning. By default it is started together with a user session in the desktop environment.
|
License Manager
|
Component that facilitates managing licenses in graphical mode. It allows to activate a license or a demo period, view information about the current license, renew it, and install or remove a license key file.
|
Dr.Web Ctl
|
Tool designed to manage Dr.Web Security Space from the command line.
Allows the user to start file scanning, view and manage quarantined objects, start a virus database update procedure, connect Dr.Web Security Space to or disconnect it from a centralized protection server, view and change product parameters
Executable file: drweb-ctl.
Logged internal name: Ctl
|
For details on Dr.Web Security Space components, refer to Dr.Web Security Space Components.
|