Dr.Web Security Space
Contents
1. To defile rule sets for network interfaces Rule Default Rule v 1 In the Dr Web Firewall settings window select Interfaces 2 For an interface of interest select the appropriate ruleset If the ruleset does not exist you can create a new set of packet filtering rules 3 Click OK to save changes or click Cancel to close the window without saving changes To list all available interfaces click All This opens a windows where you can selected interfaces that should be listed in the table permanently Active interfaces are listed in the table automatically To configure rules for interfaces click Configure 129 Ta J 1 aX 10 Dr Web Firewall Packet Filter Packet filtering allows you to control access to network regardless of which program initiates connection Dr Web Firewall applies these rules to network packets transmitted through network interfaces of your computer Packet filtering allows you to control access to networks on a lower level than the application filter thus providing you with more flexible options Dr Web Firewall provides you the following default filtering rule sets e Allow all this rule set configures Dr Web Firewall to pass through all packets e Deny all this rule set configures Dr Web Firewall to block all packets e Default rule this set includes rules describing the most popular system configurations and preventing common network attacks2. ax 2 Installing Dr Web Security Space 33 2 3 Obtaining Key Files The registration procedure for a new key file starts automatically during installation or can be launched from the SpIDer Agent menu once the installation is complete This procedure helps you connect to the official Doctor Web website and register your installation To obtain a key file 1 During the first step of the procedure you will be asked to choose what type of key file you would like to obtain either a license or a demo key file In order for Dr Web product to operate you need a license key file To continue please register and obtain a license or demo key file from Doctor Web servers Demo key file You do not need a seria number to get the 30 day demo key file Please note that you may receive the demo key file no more frequently than once every 4 months License key file Please enter serial number Whatis a key file Where is the serial number next O concel _ If you received a serial number when you purchased your Dr Web product select License key file and enter the serial number If you want to install the product for demonstration purposes select Demo key file and go to step 2 Ta yan A A 2 Installing Dr Web Security Space 34 If you have used Dr Web Security Space in the past A you may be eligible for a 150 day extension to your new license To enable the bonus enter your registe
3. Apply predefined rule Allow network connection for application on port 389 dap Create custom rule The network application was launched by unknown process If you are not sure that the application should be allowed to start network processes you should block this action for the application Description Allow Block Publisher Path C Print driver host for 32bit applications Wrico C windows splwow64 exe Microsoft Office Word Mico C program files x86 microsoft office office 11 a A You need administrative rights to create rules 10 2 Managing Dr Web Firewall Dr Web Firewall installs as a network component and loads on Windows startup If necessary you can suspend Dr Web Firewall operation review its statistics or change settings After a session under limited user account Guest is open Firewall displays an access error message Firewall status is then displayed A as inactive in SpIDer Agent However Firewall is enabled and operates with default settings or settings set earlier in administrative mode You can configure and manage Dr Web Firewall using SpIDer Agent 10 Dr Web Firewall 120 About Register license My Dr Web Help Gi SplDer Guard SplDer Mail SplDer Gate amp Parental Control Firewall Mvv v Statistics Updater Sating Scanner Disable Disable Self protection Tools User
4. 6 2 SpIDer Mail Settings To modify SpIDer Mail settings open the settings window as described in Managing SpIDer Mail When editing the settings use the program s help system general help for each page is generated by pressing the Help button there is also a context prompt for certain elements of the interface When adjusting is finished click OK Most default settings are optimal for the majority of situations The most frequently used parameters except the default ones are described below Anti spam Anti spam filter activity Do not check mail for spam Allow C text Allow Asian text Add the following prefix to subjects of spam messages DrWeb Spamstate header to each checked message Ta J 1 ys 6 SpIDer Mail To configure default actions 1 In the Infected messages drop down list choose the program s action upon detection of an infected message Cure action is recommended In the Incurable messages drop down list choose the program s action upon detection of an incurable message Move to quarantine action is recommended Other actions with moved files are described in Neutralizing Detected Threats In the Suspicious messages drop down list choose the program s action upon detection of a suspicious message Move to quarantine action is recommended In the Non checked messages and Malformed messages drop down lists choose the program s action upon detectio
5. apply the rule when packet is sent into the network from your computer Ta 1 ax 10 Dr Web Firewall 136 e Any apply the rule regardless of packet transfer direction Packet header Packet header E g transport or network protocol Logging mode The logging mode for the rule This parameter defines which information is stored in the Dr Web Firewall log e Log headers log packet headers only e Entire packet log whole packets e No logging do not log any information Rule name The rule name Description The rule description 3 When you finish adjusting the settings click OK to save changes or Cancel to reject them To configure extended filtering parameters Use the following options e To add a new higher or lower level packet header click the Add header e To configure a filed within the header click the button on the right or left of a packet corresponding Browse button e To remove a header or a field within a header click the corresponding Remove button The Add and Browse 2 buttons are inactive when the corresponding action is not available For instance when there is not criteria for filtering by header fields for the selected packer header or filtering by higher or lower level headers is not possible Ta 3 N 10 Dr Web Firewall 137 Ws Example Adding a packet filter that allows all packets from a sub network may look as follows a
6. 2 Click Browse then select the restricted object in the standard dialog window 3 To add other files and folders to the list repeat steps 1 to 2 To remove a file or folder from the list select the corresponding item in the list and click Delete Users will be able to access the object again Ta J 1 ax 10 Dr Web Firewall 114 10 Dr Web Firewall Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks Dr Web Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections both on network and application levels Main Features Dr Web Firewall provides you with the following features e Control and filtration of all incoming and outgoing traffic e Access control on application level Network level packet filtering Fast selection of rule sets Event logging 10 1 Training Dr Web Firewall By default once installation completes Dr Web Firewall starts learning usual behaviour of your operating system by intercepting all new unknown to the firewall connection attempts and prompting you to select the necessary action You can either select a temporary solution or create a rule which will be applied each time Dr Web Firewall detects this type of connection When running under limited user account Guest Firewall does A not prompt requests for network access attempts Notifications are then forwarded to th
7. Custom scan To adjust main scanning options click E GB Boot sectors of all disks W on the toolbar Scanning objects E Random access memory E B Boot disk root folder autorun objects E windows system folder User documents folder My Documents m Temporary files system restore points E B Rootkits Drag and drop files and folder here for checking or click to select When scanning starts Pause and Stop buttons become available You can do the following e to pause scanning click Pause button To resume scanning after pause click Resume button e to stop scanning click Stop button 57 Ta N ys 4 Dr Web Scanner The Pause button is not available at scanning processes and RAM 58 Ta 1 ax 4 Dr Web Scanner 4 2 Neutralizing Detected Threats By default if known viruses or computer threats of other types are detected during scanning Dr Web Scanner informs you about them You can neutralize all detected threats at once by clicking Neutralize In this case Dr Web Scanner applies the most effective actions according its configuration and treat type When necessary you can apply actions separately or change default action for particular threats Threats to your security can be neutralized either by restoring the original state of each infected objects curing or when curing is impossible by removing the infected object completely from you
8. To register and download key files a valid Internet connection is required To receive a license key file a product serial number is required Without a serial number you can only receive a demo key file during installation 1 Launch an Internet browser and go to the site specified on the product registration card supplied with your copy of the product 2 Fill in the registration form Enter the serial number found on the registration card 4 The license key file is archived and sent to the e mail address you specified in the registration form After registration you can also download the license key file from the registration page Windows operating systems extract files from ZIP archives automatically You do not need to purchase or install additional software 5 Install the key file a To acquire key files during installation The key file can be delivered as a key file or an archive containing such a file A user can receive a key file via the Dr Web Updater during installation or the first update The utility registers the program after the serial number is provided on the official website and receives the key file This procedure is available only for Dr Web programs that protect individual workstations Without a serial number a user can only receive a demo key file See Receiving key file It is recommended to keep the key file until it expires If you re install a product or install it on several comput
9. The Enable self protection item will appear A To rollback to a system restore point disable self protection The Tools item opens a submenu that provides access to e License Manager e General Settings of Dr Web Security Space operation e Quarantine e Anti virus Network Ta i ax 3 Getting Started 40 e Report generation wizard Before contacting Doctor Web Technical Support generate a report than indicates how your operating system and Dr Web Security Space are functioning To adjust parameters in the opened window click Report settings The report will be stored as an archive in the Doctor Web subfolder of the USERPROFILE directory The Administrative User mode item allows you to switch between full function Administrative mode and restricted User mode In User mode access to settings of components is forbidden as well as disabling of all components and self protection License Manager and Anti virus Network items are not available too You need administrative rights to switch to Administrative mode This item displays when you do not have administrative privileges A For instance this item displays when you log into Microsoft Windows 2000 or Windows XP operating systems as a non privileged user or when User Account Control of Windows Vista or Microsoft Windows 7 operating system is enabled Otherwise the item is hidden and Dr Web Security Space operates in full function mode all the time Ta
10. 7 ZIP BZIP2 CAB GZIP DZ HA HKI LHA RAR TAR ZIP etc in containers 1C CHM MSI RTF ISO CPIO DEB RPM etc and in mailboxes of mail programs the format of mail messages should conform to RFC822 are also checked By default Dr Web Scanner uses all detection methods to detect viruses and other malicious software Information on all infected or suspicious objects displays in the table where you can manually select a necessary action The default settings are optimal for most cases However if necessary you can modify actions suggested upon threat detection by using Dr Web Scanner settings window Please note that you can set custom action for each detected threat after scan is completed but common reaction for a particular threat type should be configured beforehand 54 4 Dr Web Scanner 55 Complete Scanning of all files on logical drives and removable media User Manual Ta J 1 aX 4 Dr Web Scanner 56 4 1 Scanning Your System Dr Web Scanner is installed as a usual Windows application and can be launched by the user or automatically see Automatic Launch of Scanning It is recommended for the scanner to be run by a user with administrator rights because files to which unprivileged users have no access including system folders are not scanned To launch Scanner Do one of the following Click the Dr Web Scanner icon on the Desktop Click the
11. attempt to cure a file failed e The Suspicious drop down list sets the reaction to the 91 Ta J i ax 7 Dr Web for Outlook 92 detection of a file presumably infected with a virus upon a reaction of the heuristic analyzer In the Malware section set the reaction to the detection of types of unsolicited software such as e Dialers e Jokes e Riskware e Hakctools The If checked failed drop down list allows to configure actions if attachment can not be checked e g if attached file is corrupted of password protected The Check archives recommended flag allows to enable or disable checking of attached archived files Set this flag to enable checking clear to disable For different types of objects actions are assigned separately The following actions for detected virus threats are provided Cure only for infected objects instructs to try to restore the original state of an object before infection As incurable only for infected objects means that the action specified for incurable objects will be performed Delete delete the object Move to quarantine move the object to the special Quarantine folder Skip skip the object without performing any action or displaying a notification Ta N ys 7 Dr Web for Outlook 93 7 3 Spam Check The Spam Filter section is available for Dr Web Security Space A only If your license does not support the Spam filt
12. windows It then installs itself without the user s permission Unstable browser operation and decrease in system performance are common side effects of spyware presence 166 Ta J i ys Appendices Adware Usually this term is referred to a program code implemented into freeware programs which perform forced display of advertisements to a user However sometimes such codes can be distributed via other malicious programs and show advertisements in internet browsers Many adware programs operate with data collected by spyware Joke programs Like adware this type of malicious programs does not deal any direct damage to the system Joke programs usually just generate message boxes about errors that never occurred and threaten to perform actions which will lead to data loss Their purpose is to frighten or annoy a user Dialers These are special programs which are designed to scan a range of telephone numbers and find those where a modem answers These numbers are then used to mark up the price of telephoning facilities or to connect the user to expensive telephone services All the above programs are considered malicious because they pose a threat to the user s data or his right of confidentiality Programs that do not conceal their presence distribute spam and different traffic analyzers are usually not considered malicious although they can become a threat under certain circumstances Among other programs there is als
13. 1 Open License Manager To purchase a new license or renew an existing one you can also use your personal web page on the Doctor Web website To visit your page use the My Dr Web option in the License Manager or SpIDer Agent menu 2 If your current key file is invalid Dr Web Security Space automatically switches to the new license 16 Ta J 1 ax 1 Introduction 1 5 How to Test Anti virus The European Institute for Computer Anti Virus Research EICAR Test File helps test the performance of anti virus programs that detect viruses using signatures For this purpose most anti virus software vendors generally use a standard test com program This program was specially designed to let user test the reaction of newly installed anti virus tools that detect viruses without compromising the security of their computers Although the test com program is not actually a virus it is treated by the majority of anti viruses as if it were one Upon detecting this virus Dr Web Security Space reports the following EICAR Test File Not a Virus Other anti virus tools alert users in a similar way The test com program is a 68 byte COM file that prints the following line on the console when executed EICAR STANDARD ANTIVIRUS TEST FILE The test com file contains the following character string only X50 P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H To create your own test file with the virus you can cre
14. 74bytes journal 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 pPC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes Time The date and time when the packet was processed Direction The packet sender e the packet was transmitted from the network to your computer e the packet was transmitted from your computer to the network e the packet sent from the network to your computer was blocked e the packet sent from your computer to the network was
15. A warning about potential errors or any other important comment The following abbreviations are used in this User Manual e GUI Graphical User Interface GUI version of a program a version that utilizes the GUI e OS operating system e PC personal computer e RAM Random Access Memory 10 Ta N ys 1 Introduction 1 3 System Requirements Before installing Dr Web Security Space e Install all critical updates recommended by the operating system developer e Uninstall all other anti virus packages from the computer to avoid possible incompatibility with their resident components e If you install Dr Web Firewall uninstall all other firewalls OS Hard disk space CPU RAM Other One of the following e Microsoft Windows 2000 Workstation SP4 with Update Rollup 1 e Windows XP SP2 or SP3 e Windows Vista e Microsoft Windows 7 e Microsoft Windows 8 Both 32 bit and 64 bit versions of operating systems are supported You may need to download and install certain system components from the official Microsoft website If necessary the program will notify you about the components required and provide download links 450 MB for Dr Web Security Space components Files created during installation will require additional space i686 compatible Minimum 512 MB of RAM Internet connection for updating virus databases and Dr Web Security Space components 11
16. Custom j Windows Explorer C Windows explorer exe G Custom Dr Web Firewall for Windows service C Program Files x86 DrWeb frwl_svc exe To configure rule sets In the Dr Web Firewall settings window select the Applications page and do one of the following to add a new set of rules click New to edit an existing set of rules select the rule set in the list and click Edit to add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set to delete all rules for an application select the appropriate rule set and click Delete If the application file for which the rule was created changes e g due to update installation then Dr Web Firewall asks to confirm that the application is still allowed to access network resources Application Rules The New application rule set or Edit rule set window lists types of the filtering rule for application or process and also a rule set if the Custom type is selected You can change rule type configure the list 122 7 Ci J Kis 10 Dr Web Firewall 123 by adding new rules for the application or modifying existing rules and the order of their execution The rules are applied according to their order in the set Specify application or process to create rule for C Windows system32 services exe Specify rule type Allow all Block all Custom Action Rule name Description Allow packets Al
17. Me programs e WinNT 32 bit Windows NT 2000 XP Vista programs e Win32 32 bit Windows 95 98 Me and NT 2000 XP Vista programs e Win32 NET programs in Microsoft NET Framework operating system e OS2 OS 2 programs e Unix programs in various Unix based systems e Linux Linux programs 170 Ta J i ys Appendices 171 e FreeBSD FreeBSD programs e SunOS SunOS Solaris programs e Symbian Symbian OS mobile OS programs Note that some viruses can infect programs of one system even if they are designed to operate in another system Macrovirus prefixes The list of prefixes for viruses which infect MS Office objects the language of the macros infected by such type of virus is specified e WM Word Basic MS Word 6 0 7 0 e XM VBA3 MS Excel 5 0 7 0 e W97M VBAS MS Word 8 0 VBA6 MS Word 9 0 e X97M VBA5 MS Excel 8 0 VBA6 MS Excel 9 0 e A97M databases of MS Access 97 2000 e PP97M MS PowerPoint presentations e 097M VBA5 MS Office 97 VBA6 MS Office 2000 this virus infects files of more than one component of MS Office Development languages The HLL group is used to name viruses written in high level programming languages such as C C Pascal Basic and others e HLLW worms e HLLM mail worms e HLLO viruses overwriting the code of the victim program e HLLP parasitic viruses e HLLC companion viruses The following prefix al
18. Scanner for Windows scans on user demand or according to schedule certain files e g all files selected logical disks directories By default the main memory and startup files are scanned too Since it is the user who decides when to launch a task there is no need to worry about the sufficiency of computational resources needed for other important processes SpIDer Guard constantly resides in the main memory of the PC and intercepts calls made to the objects of the file system The program checks for viruses in files that are being launched created or changed on the hard drives and those that are opened on removable media and network drives Due to a balanced approach to the level of the file system scanning details the program hardly disturbs other processes Ta J i ax 3 Getting Started 36 on the PC However this results in insignificant decrease of virus detection reliability An advantage of the program is that it provides you with uninterrupted control of the virus situation during the entire time a PC is running In addition some viruses can only be detected by the guard through their specific activity SpIDer Mail also constantly resides in the memory The program intercepts all calls from your mail clients to mail servers via POP3 SMTP IMAP4 NNTP protocols and scans incoming and outgoing e mail messages before they are received or sent by the mail client SpIDer Mail is designed to check all current mail tr
19. This rule set is used by default for new network interfaces For fast switching between filtering modes you can create custom sets of filtering rules To set rulesets for network interfaces 1 In the Dr Web Firewall settings window select Packet filter page 2 Do one of the following e Configure sets of filtering rules by adding new rules modifying or deleting existing ones or changing order of their execution e Configure general filtering settings 130 10 Dr Web Firewall 131 Packet filter settings mm Packet filter settings Set as default Name New ea Block All Default Rule Use TCP stateful packet filtering V Management of fragmented IP packets To configure sets of filtering rules Do one of the following e To add a new rule set click New The new rule set is added to the beginning of the list e To edit an existing set of rules select the rule set in the list and click Edit e To add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set e To delete a selected rule set click Delete To configure general settings On the Packet Filter settings use the following options Ta 1 aX 10 Dr Web Firewall 132 Use TCP stateful Select this checkbox to filter packets according packet filtering to the state of existing TCP connections Dr Web Firewall will block pa
20. Web item opens your personal web page on the official Dr Web Security Space website This page gives information about your license period of usage serial number allows to renew your license contact Technical Support etc To start the registration procedure for receiving the key file from 47 Ta 1 ax 3 Getting Started 48 Doctor Web servers click Get new licence and select from Internet in the drop down menu That launches key file obtaining To add a key file 1 Click Get new licence In the drop down menu select from file 2 Select the file in a standard window 3 Dr Web Security Space starts using the key file automatically If you received a key file during installation or in the distribution kit complete set installation of a key file is made automatically and does not demand any additional actions To delete a key file from a list select it and click Delete current licence Last used key cannot be removed By default the license key file should be located in the Dr Web A Security Space installation folder Dr Web Security Space verifies the file regularly Do not edit or otherwise modify the file to prevent the license from compromise If no valid license or demo key file is found Dr Web Security Space components are blocked To receive a valid key file select Register License in the context menu of the SpIDer Agent Ta 1 ax 3 Getting Started 3 4 Quarantine Mana
21. a domain use the character instead of the username in the address For example if you enter spam ru SpIDer Mail will regard as spam messages from all senders within the Spam ru domain e To regard as spam messages sent from email address with a certain user name from any domain use the character instead of the domain name in the address For example if you enter ivanov SpIDer Mail will regard as spam messages from all senders with the i vanov mailbox name e Addresses from the recipient domain are not processed For example if the recipient mailbox your mailbox is in the mail ru domain then messages from mail ru domain will not be processed with anti spam filter 7 4 Logging Dr Web for Outlook registers errors and application events in the following logs e Windows Event Log e Text Dr Web debug log 7 4 1 Event Log Dr Web for Outlook registers the following information in the Windows Event Log e Plug in starts and stops 98 Ta J 1 ax 7 Dr Web for Outlook License key file parameters license validation license expiration date information is written during program launch during program operating and when key file is changed License errors the key file is absent permissions for usage of program modules is absent in the key file licence is blocked the key file is corrupted information is written during program launch and during program operating Parameters of program modules Sc
22. and phrases typical of spam using a special dictionary Anti scamming scam as well as pharming messages is the most dangerous type of spam including so called Nigerian scams loan scams lottery and casino scams and false messages from banks and credit organizations A special module of Dr Web Anti spam is used to filter scams Technical spam bounces are delivery failure messages sent by a mail server Such messages are also sent by a mail worm Therefore bounces are as unwanted as spam 77 Ta 2 1 ax 6 SpIDer Mail 78 6 1 Managing SpIDer Mail SpIDer Mail can be managed via the SpIDer Mail item in the context menu of the SpIDer Agent icon see SpIDer Agent About Register license My Dr Web Help SplDer Guard ge SplDer Mail Statistics SplDer Gate Settings e Parental Control Firewall Disable Updater G Scanner Disable Self protection Tools gt User mode If the Settings menu item is selected a window with SpIDer Mail settings will open read Adjusting Certain Program Settings User should have administrator rights to change settings of the SpIDer Mail interface If the Statistics menu item is selected a window with information on the program s operation during current session the number of scanned infected suspicious objects and taken actions will open The Disable Enable item allows to start stop SpIDer Mail Ta 2 N 6 SpIDer Mail 79 ax
23. can also block an active or unblock a disabled connection The blocked connections are marked with red in the table 10 4 2 Application Filter Log The application filter log stores information on all attempts of applications installed on your computer to connect to a network journal Packet Filter journal Time Application Rule name Direction Action Endpoint 10 Dr Web Firewall Network applications activity journal Time Application Rule name 3 1 2010 2 11 5 C windows system32 svchost exe Allow svchost exe inb C windows system32 svchost exe Allow svchost exe inb C windows system32 svchost exe Block listening on SSDP C windows system32 svchost exe Allow svchost exe inb C windows system32 svchost exe Block SSDP queries C windows system32 svchost exe Block SSDP queries C windows system32 svchost exe Block SSDP queries C windows system32 svchost exe Block SSDP queries C windows system32 svchost exe Allow svchost exe ou C windows system32 svchost exe Allow svchost exe ou C windows system32 svchost exe Block SSDP queries C windows system32 svchost exe Block SSDP queries 3 1 2010 2 12 0 _C windows system32 svchost exe Block SSDP queries m Cie eee eeeereeeee reese The date and time of the connection attempt The full path to the application executable file its name and process identification
24. click Parameters Server port ed 25 110 119 bid 143 ici 465 tal 563 ied 587 993 995 By default the list of automatically intercepted messages includes all IP addresses specified by the asterisk symbol and the following ports 143 standard IMAP4 port 119 standard NNTP port 110 standard POP3 port and 25 standard SMTP port To remove an element from the list select it and click Remove To add a server or a group of servers to the list specify its address IP 84 Ta J 1 aX 6 SpIDer Mail 85 address or domain name in the Address field and the called port number into the Port field and click Add The localhost address is not intercepted if the asterisk is specified If necessary this address should be specified in the interception list explicitly To set up manual interception 1 On the Interception page select Manual connections setup and click Parameters A window for setting up manual connections opens Tao a SplDer Mail port Server address Server port 7000 SpIDer Mail port Server address Server port 2 Make up a list of resources POP3 SMTP IMAP4 NNTP servers connections to which should be intercepted Number them one after another starting from 7000 Hereinafter these numbers will be called SpIDer Mail ports 3 For every resource input the appropriate number into the SpIDer Mail port entry field a domain name or IP addr
25. data It is possible to restrict access to separate files or folders on local drives and external data carriers You can also completely restrict access to any kinds of external data carriers By controlling access to web resources you can restrict a user to view undesirable web sites e g pornography violence gambling etc or allow access only to certain web sites specified in the Parental Control settings 9 1 Parental Control Settings To change the settings of the Parental Control component 1 Make necessary changes on the pages of the Parental Control Settings window 2 For more information about settings on a page click the Help button 3 Click Apply to save changes immediately 4 When you finish adjusting the settings click OK to save changes or Cancel to reject them When accessing Parental Control settings for the first time you will be suggested to set a password required to access settings of Dr Web Security Space if it was not set earlier You can also set a password or change it on Advanced tab in SpIDer Agent settings 110 9 Parental Control URL Filter Page On the URL filter page you can adjust access to web resources URL filter URL filter Local access Internet access Allow access to all sites by Block the site from the following categories Adult content F Obscene language Violence v Chats Weapons E Terrorism Gambling E E mail 7 Drugs F Social networ
26. described below Scanning Page By default SpIDer Guard is set in Optimal mode to scan files that are being executed created or changed on the hard drives and all files that are opened on removable media In Paranoid mode SpIDer Guard scans files that are being opened created or changed on the hard drives on removable media and network drives Selecting the Use heuristic analysis checkbox enables the heuristic analyser mode a method of virus detection based on the analysis of actions specific for viruses 70 5 SpIDer Guard 71 Scanning Scan mode Actions b gt Log V Use heuristic analysis recommended Additional tasks F Scan running programs and modules BS Scan install packages E Scan objects on the LAN not recommended Scan the removable media Block autoruns from removable media Certain external devices e g mobile drives with USB interface can be identified by the system as hard drives That is why such devices should be used with utmost care and checked for viruses by the Scanner when connected to a computer Disabled scanning of archives even if SpIDer Guard is constantly active means that viruses can still easily penetrate a PC but their detection will be postponed When the infected archive is unpacked or an infected message is opened an attempt to write the infected object on the hard drive will be taken and SpIDer Guard will inevitably detect
27. download complete messages from the e mail server at once without previewing their headers This is important for correct operation of the spam filter Selecting the Add a prefix to the subjects of spam messages check box instructs SpIDer Mail to add a special prefix to subjects of spam messages This prefix can be specified in the field below Use of the prefix will allow you to create filter rules for spam in e mail clients which do not support filtering by headers e g MS Outlook Express Selecting the Allow Cyrillic text check box instructs the spam filter to analyze messages with Cyrillic encoding If the check box is not selected it is highly possible that messages with Cyrillic encoding will be regarded as spam Functioning of the Allow Asian text check box is the same as the one described above but for East Asian encodings In the White list and Black list fields white and black lists of senders addresses are specified e If a sender s address is on the white list the message is not scanned for spam e If a sender s address is on the black list the message will be 82 Ta yan A A 6 SpIDer Mail automatically regarded as spam Addresses must be divided by a semicolon The asterisk symbol can stand for a part of address for example domain org denotes all addresses with the domain org domain name If the spam filter regards certain messages as spam by mistake A you are advised to fo
28. e Report generation wizard You can manage settings enable or disable components and look through statistics Anti virus Network Quarantine Manager and Scanner are not available Firewall settings and statistics are not available as well but you can enable or disable Firewall if you accessed Dr Web Anti virus or Dr Web Security Space Also you can select the Disconnect item to terminate remote connection If required computer is not on the list you can try to add it manually For this click Add button and enter IP address You can establish only one connection with remote Dr Web product If one connection is already established the Connect button is disabled Computers are listed in Anti virus Network if Dr Web products installed on these computers allow remote connection You can allow connection to your Dr Web Security Space on the Advanced tab in General settings 1 The Anti virus Network item is available in the menu when operation in Administrative mode only 53 Ta J i ax 4 Dr Web Scanner 4 Dr Web Scanner By default the program scans all files for viruses using both the virus database and the heuristic analyzer a method based on the general algorithms of virus developing allowing to detect the viruses unknown to the program with a high probability Executable files compressed with special packers are unpacked when scanned Files in archives of all commonly used types ACE ALZIP AR ARJ BGA
29. files listed in the specified file FM lt masks gt scan files matching the specified masks By default all files are scanned FR lt regexpr gt scan files matching the specified regular expression By default all files are scanned FULL perform a full scan of all hard drives and removable data carriers including boot sectors For Scanner only H or show brief help For Console Scanner only HA use heuristic analysis to detect unknown threats Option is enabled by default KEY lt keyfile gt specify a license key It is necessary to use this parameter if your key file is stored outside of the Dr Web installation folder where the scanner executables reside by default the drweb32 key or another suitable file from the C Program Files DrWeb folder is used LITE perform a basic scan of random access memory boot sectors of all disks and startup objects Scanner also runs a check on rootkits For Scanner only Ta J 1 ys Appendices 154 LN resolve shell links Option is disabled by default LS use LocalSystem account rights Option is disabled by default MA check e mail Option is enabled by default MC lt imit gt set maximum number of cure attempts to limit unlimited by default NB do not backup cured or deleted files Option is disabled by default NI X limits usage of system resources at scanning and priority of the scanni
30. messages are not even delivered to mailboxes e The Scanner does not check the mailboxes at the moment of the mail receipt but either on user demand or according to schedule Furthermore this action is rather resource consuming and takes a lot of time Thus with all the components in their default settings SpIDer Mail detects viruses and suspicious objects distributed via e mail first and does not let them infiltrate into your computer Its operation is rather resource sparing scanning of e mail files can be performed without other components 76 Ta J 1 aX 6 SpIDer Mail Anti spam Dr Web Anti spam technologies consist of several thousand rules that can be divided into several groups Heuristic analysis a highly intelligent technology that empirically analyzes all parts of a message header message body and attachments if any Detection of evasion techniques this advanced anti spam technology allows detecting evasion techniques adopted by spammers to bypass anti spam filters HTML signature analysis messages containing HTML code are compared with a list of known patterns from the anti spam library Such comparison in combination with the data on sizes of images typically used by spammers helps protect users against spam messages with HTML code linked to online content Semantic analysis the words and phrases of a message both visible to the human eye and hidden are compared with words
31. mode To manage Dr Web Firewall 1 Right click the SpIDer Agent icon S 2 Select Firewall then select a required item Statistics Display information on events which Dr Web Firewall handled Settings Access adjustable Dr Web Firewall settings On the Restore Defaults page you can restore all settings to their default values Disable Suspend Dr Web Firewall operation This operation is available for users with administrative privileges only Enable Resume Dr Web Firewall operation This item is available when Dr Web Firewall is disabled only To disable Dr Web Firewall enter confirmation code Settings and Disable Enable items are not available in User mode Ta 1 ax 10 Dr Web Firewall 121 10 3 Firewall settings d You need administrative rights to access Dr Web Firewall settings To start using Dr Web Firewall do the following e Select operation mode e List authorized applications Dr Web Firewall loads on Windows startup and starts logging events By default Dr Web Firewall operates in learning mode If any problems occur with Internet Connection Sharing i e access A to the Internet is blocked for computers that are connected to a host computer on the host computer specify packet filter rule that allows all packets from the subnet according to your local configuration 10 3 1 Application Filter Application level filtering helps you control access of various application and proce
32. new application filter rule select Create new rule In the opened window you can either choose one of the predefined rules or create your rule for parent process 10 Dr Web Firewall 118 Firefox The following network access problems were detected The network application was launched by unknown process If you are not sure that the application should be allowed to start network processes you should block this action application Description Allow Block Publisher Path Windows Explorer Wrico C windows explorer exe Z userinit Logon Application Wrico C windows system32 userinit exe Windows Logon Application Wrico C windows system32 winlogon exe C windows Session Manager a Wrhico C windows system32 smss exe Z system na system 2 Click OK Dr Web Firewall executes the selected action and closes the notification window When unknown process was run by another unknown process a notification will display corresponding details If you click Create new rule the new window will appear allowing you to create new rules for this application and it s parent process 7 oy 10 Dr Web Firewall 119 P Windows host process Rundll32 The following network access problems were detected There are no rules for this application You can allow block or customize application network access You can choose either one of predefined rules or create your own application rule
33. path_to_program gt dwscancl lt switches gt lt objects gt The list of objects for scanning can be empty or contain several elements separated with blanks Switches are command line parameters that specify program settings Several parameters are divided by spaces For the full list of available switches refer to Appendix A Return codes e 0 Scanning was completed successfully infected objects were not found e 1 Scanning was completed successfully infected objects were detected e 10 Invalid keys are specified e 11 Key file is not found or does not license Console Scanner e 12 Scanning Engine did not start e 255 Scanning was aborted by user 66 A AN v Aq A 4 Dr Web Scanner 4 6 Automatic Launch of Scanning During Dr Web Security Space installation an anti virus scanning task is automatically created in the Task Scheduler the task is disabled by default To view the parameters of the task open Control Panel Administrative Tools Task Scheduler In the task list select the Dr Web Daily scan task You can enable the task adjust trigger time and set required parameters On the General tab you can review general information and security options on a certain task On the Triggers and Conditions tabs various conditions for task launching are specified To review event log choose the History tab You can also create your own anti virus scanning tasks Please refer to
34. read on spam check select the Mark message as read checkbox This option is enables by default 4 You can also configure black and white lists If spam filter defines certain messages incorrectly you are advised to forward such messages to special e mail addresses for analysis e Messages which are wrongly regarded as spam should be forwarded to vrnonspam drweb com e Unblocked spam messages should be forwarded to vrspam drweb com Forward messages as attachments do not include them to the message body Spam filtering parameters V Check for spam Add prefix to message header S PAM V Mark message as read Black and white lists amp Messages from e mails included into the white list are skipped without check for spam White list Messages from e mails included into the black list are always considered as spam Black list Ta AN ax 7 Dr Web for Outlook 95 7 3 2 Using Black and White Lists Black and white lists are used for messages filtration To review and to edit the black and white lists click Black list or White list respectively on the Spam filter window White list Black list A Messages from e mails included into the white list are skipped without i check for spam box domain Ta J N ah 7 Dr Web for Outlook 96 To add addresses 1 Click Add 2 In the Edit list window ente
35. system the worm can be rid of by simply restarting the system at which the RAM is erased and reset However if the worm s body infiltrates the computer then only an anti virus program can cope with it Worms have the ability to cripple entire networks even if they do not bear any payload i e do not cause any direct damage due to their intensive distribution Trojan horses Trojans This type of malicious program cannot reproduce or infect other programs A Trojan substitutes a high usage program and performs its functions or imitates the programs operation At the same time it performs some malicious actions in the system damages or deletes data sends confidential information etc or makes it possible for another person to access the computer without permission e g to harm the computer of a third party A Trojan s masking and malicious facilities are similar to those of a virus and it can even be a component of a virus However most Trojans are distributed as separate executable files through file exchange servers removable data carriers or e mail attachments which are launched by a user or a system task 165 Ta J i ys Appendices Rootkits It is a type of malicious program used to intercept system functions of an operating system in order to conceal itself Besides a rootkit can conceal tasks of other programs registry keys folders and files It can be distributed either as an independent progra
36. the Help system and Windows documentation for more details on the system scheduler operation If installed components include Dr Web Firewall Task Scheduler 1 will be blocked by Firewall after Dr Web Security Space installation and the first system reboot Scheduled tasks will operate only after second restart when new rule is already created 67 Ta 1 ax 5 SpIDer Guard 68 5 SpIDer Guard By default SpIDer Guard is loaded automatically at every Windows startup and cannot be unloaded during the current Windows session If necessary you can temporarily disable SpIDer Guard for example when a task consuming too much processor resources is performed in real time mode d Only the user with administrator rights can temporarily disable SpIDer Guard By default SpIDer Guard performs on access scanning of files that are being created or changed on the HDD and all files that are opened on removable media It scans these files in the same way as the Scanner but with milder options Besides SpIDer Guard constantly monitors running processes for virus like activity and if they are detected blocks these processes By default upon detection of infected objects SpIDer Guard supplied with Dr Web Security Space acts according to actions set on the Actions tab You can set the program s reaction to virus events by adjusting the corresponding settings A user can control it with the help of the Statistics window and
37. the Internet If you already use another proxy server to connect to the Internet specify its connection parameters User Manual Ta 2 i ax 8 SpIDer Gate 109 Log Page On this page you can select the mode of keeping records in the log file e Standard in this mode SpIDer Gate logs the following most important actions only e Time of updates e Time of SpIDer Gate starts and stops e Detected errors and infections e Extended in this mode SpIDer Gate logs the most important actions and the following additional data e Names of scanned objects e Names of packers e Contents of scanned complex objects archives mail boxes and file containers It is recommended to use this mode when determining objects that SpIDer Gate checks most often e Debugging in this mode SpIDer Gate logs all details on its activity This may result in considerable log growth The SpIDer Gate log is stored in the netfilter log file that is located in folder Y allusersprofile Application Data Doctor Web Logs for Windows 7 Y allusersprofile Doctor Web Logs It is recommended to analyze the log file periodically Ta J i ax 9 Parental Control 9 Parental Control The Parental Control component is used to restrict access to both local and web resources By restricting access to the local file system you can maintain the integrity of important files protect them from viruses and secure the confidentiality of stored
38. the infected file are called file viruses Some viruses infect boot records of diskettes and partitions or master boot records of fixed disks Such viruses are called boot viruses They take very little memory and remain ready to continue performing their tasks until a system roll out restart or shut down occurs Macroviruses are viruses which infect documents used by the Microsoft Office and some other applications which allow macro commands usually written in Visual Basic Macro commands are a type of implemented programs macros written in a fully functional programming language For instance in Microsoft Word macros can automatically initiate upon opening closing saving etc a document A virus which has the ability to activate and perform the tasks assigned by the virus writer only when the computer reaches a certain state e g a certain date and time is called a memory resident virus Most viruses have some kind of protection against detection Protection methods are being constantly improved and ways to overcome them are developed Encrypted viruses for instance cipher their code upon every infection to hamper their detection in a file boot sector or memory All copies of such viruses contain only a small common code fragment the decryption procedure which can be used as a virus signature Polymorphic viruses also encrypt there code but besides that they generate a special decryption procedure which is different in
39. the log file Ta 2 ax N 5 SpIDer Guard 69 5 1 Managing SpIDer Guard Main tools for setting and managing in SpIDer Guard reside in its menu About Register license My Dr Web Help SplDer Guard Statistics e SplDer Mail Settings SplDer Gate Parental Control Firewall Updater G Scanner Disable vv v vg amp Disable Self protection Tools gt User mode The Statistics menu item allows to open the Statistics window where the information on the operation of SpIDer Guard during the current session is displayed the number of scanned infected or suspicious objects virus like activities and actions taken The Settings menu item gives access to the main part of the program parameters for details see SpIDer Guard Settings The Disable item allows to temporary disable program functions for users with administrator rights only Access to the SpIDer Guard settings is possible only for the user A with administrator rights To disable SpIDer Guard enter confirmation code Ta J i ax 5 SpIDer Guard 5 2 SpIDer Guard Settings The main adjustable parameters of SpIDer Guard are in the Settings panel To receive help on parameters specified on a page select that page and click Help o When you finish editing the parameters click OK to save changes or Cancel to cancel the changes made Some of the most frequently changed settings of the program are
40. this type of connection This mode is used by default Restricted Access Mode In this mode Dr Web Firewall blocks all unknown connections to network resources including the Internet automatically When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering ruleset for the 139 Ta 1 ax 10 Dr Web Firewall application If there are no filtering rules Dr Web Firewall blocks network access for the application without displaying any notification to the user If there are filtering rules for the application Dr Web Firewall processes the connection according to the specified actions Free Access Mode In this mode Dr Web Firewall allows all unknown applications to access network recourses including the Internet No notification on access attempt is displayed To configure advanced settings On the Application filter settings page use the following option Allow loopback interface Display notifications in full screen mode Select this checkbox to allow all applications on you computer to interconnect i e allow unlimited connections between application installed on your computer For this type of connection no rules will be applied Clear this checkbox to apply rules for connections carried out both through the network and within your computer Select this checkbox to display notifications on a separate desktop when some applica
41. you have a serial number select Receive key file during installation Otherwise select Receive key file later updating is not available in this mode and click Next A Use only a Dr Web Security Space key file which should have the key extension 7 The installation wizard will let you choose the type of installation Default Installation implies installation of all components and all secondary programs automatically up to step 12 Custom Installation is meant for experienced users During custom installation you will be asked to select components for installation and adjust proxy server settings and some additional installation parameters 2 Installing Dr Web Security Space 27 Installation Type Select the type of installation according to your needs Default installation recommended All the program components will be installed with default settings and installation Parameters Custom installation Allows you to select the components to be installed destination folder and additional installation parameters Once you choose the type of installation click Next 8 If you chose default installation type go to step 12 In case of custom installation a window will open that allows you to select from the hierarchical list the program components you want install You can also change the installation folder if necessary 2 Installing Dr Web Security Space 28 Select components
42. 033 English 1061 Estonian 1036 French France 1031 German 1032 Greek 1038 Hungarian 1040 Italian 1041 Japanese 1062 Latvian 1063 Lithuanian 1045 Polish 2070 Portuguese 1049 Russian Ta i ax G 2 Installing Dr Web Security Space 23 1051 1034 1055 1058 Slovak Spanish Traditional Sort Turkish Ukrainian English will be installed in addition to whatever other language is chosen Usual Installation 1 2 Select the language for the installation wizard Regardless of your choice English language will be installed in addition In the next window you will be asked to read the License agreement To continue installation you must accept its terms and click Next The installation wizard will inform you of any possible incompatibility between Dr Web and other anti viruses installed on your computer and offer to uninstall or disable them If other anti viruses are installed on your computer it is recommended to click Cancel and terminate installation delete or deactivate other anti viruses and then proceed with installation To continue with the installation select the I confirm that no other anti virus software is installed on this computer check box and click Next 2 Installing Dr Web Security Space 24 Please read the following important information Installing Dr Web Security Space 7 0 on a computer with another anti virus program may lead to unpredictable c
43. 104 A AN v Aq A 8 SpIDer Gate Block malicious programs V Suspicious V Riskware V Dialers Hacktools F Adware F Jokes Block objects Not checked Malformed Additional L Check archives In the opened dialog window you can block malicious programs and objects and also enable or disable archives checking By default all malicious programs are blocked and the archives checking is disabled Application Filter Page By default monitoring of HTTP traffic is enabled On the Application Filter page you can set up which applications to include or exclude from monitoring SpIDer Gate checks HTTP traffic which goes through ports specified in the top part of the tab By default ports 80 8080 and 3128 are specified these ports are often used by applications to transfer data through HTTP If you are aware that an application on your computer uses another port for HTTP then add it to the HTTP ports field 105 8 SpIDer Gate Actions Application filter Application filter Check all applications HTTP _ 80 8080 3128 443 Proxy Ports Secure connections E Check encrypted traffic HTTPS Log Applications to check on all ports Pa Exduded applications Ti Add applications whose network activity should be checked with extreme caution to the Applications being checked on all ports list These are web browsers download manage
44. 2 ww ax 3 Getting Started 41 3 2 General Settings General settings of Dr Web Security Space operation is configured in the Dr Web Settings window To open this window click the SpIDer Agent icon in the notification area select Tools and then select Settings Settings Page Settings Settings Components English Update Advanced f virus databases V Start reminding me about outdated virus databases after 1 day recommended KA V Repeat tooltip notifications every hours recommended Z Notification types V Database update notifications F SplDer Gate SplDer Guard F Parental Control v V SpIDer Mail v Do not show notifications in full screen mode On this page you can specify the language of the Dr Web Security Space GUI by selecting the necessary language in the Language list If you choose language that hasn t been installed Dr Web Security Space will suggest to install it Also in this window you can select the types of pop up notifications which appear above the SpIDer Agent icon in the taskbar notification area Components send notifications when a corresponding event happens i e when a threat is detected or an update is performed 3 Getting Started 42 Components Page On this page you can configure automatic launching of Dr Web Security Space components on system startup Components Launch the following anti
45. 60 g proxy arg u user arg k password Jarg param arg progress to console e reset failed reset revision to 0 for failed components e normal failed try to update all components including failed from current revision to newest or specified e update revision try to update all components of current revision to newest if exists e normal update all components Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Pass additional parameters to the script lt Name gt lt value gt Print information about downloading and script execution to console exec command parameters s script arg f func arg p param arg progress to console Execute this script If specified execute this function in the script Pass additional parameters to the script lt Name gt lt value gt Print information about script execution to console Ta N ax Appendices 161 getcomponents command parameters s version Version name arg p product Specify product to get the list of components that belong arg to this product If product is not specified all components of this version will be listed getrevisions command parameters s version Version name arg n Component name component arg uninstall command parameters n
46. B C Maximum compression ratio 0 J o Maximum archive nesting level Anti spam Anti spam filter activity Do not check mail for spam Exclusions E Check mail for spam on i Spam check options Interc Allow Cyrillic text Log Allow Asian text V Add the following prefix to subjects of spam messages Note SpIDer Mail adds the X DrWeb SpamState header to each checked message Use White and Black lists to ensure acceptance or blocking of messages from specific addresses Whitelist __ Blacklist By default SpIDer Mail scans incoming messages for spam To disable the spam filter choose the Do not check mail for the spam mode User Manual 81 Ta J 1 ax 6 SpIDer Mail The following headers will be added to all scanned messages e X DrWeb SpamState Yes No Yes shows that the message is spam No means that SpIDer Mail does not regard the message as spam e X DrWeb SpamVersion version version is the version of Anti spam library e X DrWeb SpamReason spam rate Spam rate includes list of evaluations on various spam criteria Express versions 5 and 6 named DRWEB VR ANTISPAM RULE is created This rule moves all messages that contain prefix SPAM in their subjects to the Deleted folder 1 During installation with standard parameters a rule for Outlook If you use IMAP or NNTP configure your e mail client to
47. Check all HTTP traffic Check incoming traffic recommended Log Check outgoing traffic Blocking parameters V Block known infection sources aS W Block not recommended sites White list Speed balance Internet connection speed decreases with lowering of scanning priority When you increase the priority connection improves but this also increases processor load Minimum U Maximum In the Check mode group you can choose type of the checked HTTP traffic In the Blocking parameters group you can protect your computer from websites that are proved to distribute malicious software and present other kinds of security threats select Block known infection sources and form unreliable websites select Block not recommended sites To specify sites that should be allowed for access regardless to other restrictions click White list You can adjust Speed balance that determines distribution of resources depending on traffic scanning priority Internet connection speed decreases when SpIDer Gate operates with lower priority since the monitor have to wait longer for downloading and scans larger portions of data When you increase the priority SpIDer Gate starts scanning data more often thus increasing speed of your Internet connection However frequent scans also increase processor load The best balance can be achieved experimentally To get access to advanced settings click Advanced settings in Actions tab
48. Dr Web official forum at http forum drweb com If you have not found solution for the problem you can request direct assistance from Doctor Web Technical Support by filling in the web from in the corresponding section of the support site at http support drweb com For regional office information visit the official Doctor Web website at http company drweb com contacts moscow 175 Doctor Web 2003 2012
49. NT OK QNA REP SCC SCN SPN SLS SPS SST TB TM TS TR WCL For FL parameter modifier directs to scan paths listed in specified file and then delete this file For ARC ARL ARS ART ARX NI X PAL RPC and W parameters 0 value means that there is no limit Example of using command line parameters with Console Scanner lt path_to_file gt dwscancl AR AIN C AIC Q C scan all files on disk C excluding those in archives cure the infected files and move to quarantine those that cannot be cured To run Scanner the same way type the dwscanner command name instead of dwscancl Ta N ax G Appendices 158 Dr Web Updater Command Line Parameters Common options h help v verbosity arg d data dir arg log dir arg log file arg dwupdater log r repo dir arg t trace C BE command arg update z zone arg Show this message Log level Can be one of following error info debug Directory where repository and settings are located Directory for storing log file Log file name Repository directory lt data_dir gt repo by default Enable tracing Command to execute getversions getcomponents getrevisions init update uninstall exec download and keyupdate List of the zones that should be used instead of specified in configuration file init command parameters s versi
50. Name of the component that should be uninstalled component arg progress Print information about command execution to console to console param arg Pass additional parameters to the script lt Name gt lt value gt e add to Components to be deleted Updating of this components exclude will not be performed Ta 5 N aX Appendices 162 keyupdate command parameters m md5 arg o output arg b backup g proxy arg u user arg k password arg progress to console MD5 hash of previous key file Output file name to store new key Backup of old key file if exists Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Print information about downloading to console download command parameters zones arg key dir arg progress to console g proxy arg u user arg k password J arg s version arg Zone description file Directory where key file is located Print information about command execution to console Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Version name Ta J 1 ys Appendices 163 p product Product name arg Appendix B Computer Threats and Neutralization Methods With the development of computer technologies an
51. Scanner item in the context menu of the SpIDer Agent icon in the taskbar notification area see SpIDer Agent chapter Click the Dr Web Scanner item in All Programs gt Dr Web directory of the Windows Start menu Run the corresponding command in the Windows command line read Command Line Scanning Mode When Scanner launches its main window opens There are 3 scanning modes Express scan Complete scan and Custom scan Depending on the selected mode either a list of objects which will be scanned or a file system tree is displayed at the center of the window In Express scan mode the following objects are scanned e Random access memory e Boot sectors of all disks e Autorun objects Boot disk root directory Windows installation disk root directory Windows system folder Ta 1 ax 4 Dr Web Scanner e User documents folder My documents e System temporary folder e User temporary folder If scanning process is running under administrative privileges then in this mode Scanner also checks if rootkits are present in the system If Complete scan mode is selected random access memory and all hard drives including boot sectors of all disks are scanned Scanner also runs a check on rootkits Custom scan mode allows you to select objects for scanning any folders and files and such objects as random access memory autorun objects boot sectors etc To start scanning selected objects click Start scanning
52. Security Space Doctor Web 2003 2012 All rights reserved This document is the property of Doctor Web No part of this document may be reproduced published or transmitted in any form or by any means for any purpose other than the purchaser s personal use without proper attribution TRADEMARKS Dr Web the Dr WEB logo SpIDer Mail SpIDer Guard CureIt CureNet AV desk are trademarks and registered trademarks of Doctor Web in Russia and or other countries Other trademarks registered trademarks and company names used in this document are property of their respective owners DISCLAIMER In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document the use of or inability to use information contained in this document Dr Web Security Space Version 7 0 User Manual 25 10 2012 Doctor Web Head Office 2 12A 3rd str Yamskogo polya Moscow Russia 125124 Web site www drweb com Phone 7 495 789 45 87 Refer to the official web site for regional and international office information Doctor Web Doctor Web develops and distributes Dr Web information security solutions which provide efficient protection from malicious software and spam Doctor Web customers can be found among home users from all over the world and in government enterprises small companies and nationw
53. T x A ax 1 Introduction 12 1 4 Licensing The use rights for the Dr Web Security Space are specified in the key file To use Dr Web Security Space obtain and install a key file For more information on licensing and types of key files visit the official Doctor Web website 1 4 1 Key File The key file contains the following information e list of components a user is allowed to use e duration of the license e other restrictions i e the number of computers on which a program is allowed to be used The key file has the key extension and by default should reside in the program s installation folder The key file has a write protected format and must not be edited A Editing the key file renders it invalid Therefore it is not recommended to open your key file with a text editor which may accidentally corrupt it There are three types of key files e License key file is purchased with the Dr Web software and allows a user to use the software and receive technical support Parameters of the license key file are set in accordance with the software s license agreement It also contains information about the user and seller e Demo key file is used to evaluate Dr Web products It is completely free provides full functionality of the software but has a limited duration 30 days if it is a promotion license key Ta i ax 1 Introduction file 3 months Demo key files for
54. Web Updater helps you download and install the updates during the licensed period 11 1 Running Updates You can run Updater in one of the following ways e From the command line by running drwupsrv exe file located in the Dr Web Security Space installation folder e By selecting Update in the SpIDer Agent menu On launching Updater displays a window with information on relevance of Dr Web virus databases and Dr Web Security Space components If necessary you can start an update process Update parameters can be configured on the Update page of Dr Web Security Space settings 149 Ta N ax 11 Automatic Updating into dwupdater log file that is located in the allusersprofile Application Data Doctor Web Logs folder in Windows 7 allusersprofile Doctor Web Logs 1 If launching Dr Web Updater automatically changes are logged Dr Web Updater f Update is not required KJ Dr Web updates virus databases and components automatically Last update 6 4 2012 3 02 PM Next update 6 4 2012 3 32 PM Start Why do need to update DrWeb regularly Update Procedure Before starting an update Updater checks if you have a key file registered license or demo If no key file is found Updater suggests you to obtain a key file on the Internet through the user registration procedure If the key file is found Updater checks its validity at Doctor Web servers the file can be blocked if di
55. affic going through a computer As a result it becomes more efficient and less resource consuming to scan mailboxes For example you can control attempts at mass distribution of a mail worm s functional copies to the addresses specified in the user address book which is performed via the worm s own mail clients You can also disable scanning of e mail files for SpIDer Guard which considerably reduces consumption of computer resources An anti virus HTTP monitor SpIDer Gate by default automatically checks incoming HTTP traffic and blocks all malware objects HTTP is used by web browsers download managers and other applications that exchange data with web servers i e those that work with the Internet SpIDer Gate resides in the computer s main memory and automatically launches upon Windows startup You can change the automatic launch mode by clearing the corresponding check box The Parental Control component is used to restrict access to both local and web resources Dr Web Firewall protects your computer from unauthorized access and prevents vital data from leaking through networks Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections on both network and application levels Ta 1 ax 3 Getting Started 37 Ensuring Protection Against Virus Threats To ensure comprehensive anti virus protection we advise you to use the Dr Web Security Space components as foll
56. an not be checked or error has occurred during scan e Clear number of messages which are not infected Then the number of the following categories of treated objects is specified e Moved to quarantine number of objects which have been moved to Quarantine e Deleted number of objects deleted from the system e Skipped number of objects skipped without changes e Spam messages number of objects detected as spam By default statistics file is dcwebforoutlook stat file that is located in the USERPROFILE DoctorWeb folder for Windows 7 C Users lt username gt DoctorWeb To clear statistics delete this file 1 drwebforoutlook stat statistics file is individual for each system user 101 Ta J N ax 8 SpIDer Gate 8 SpIDer Gate SpIDer Gate is an anti virus HTTP monitor By default SpIDer Gate automatically checks incoming HTTP traffic and blocks all malware objects HTTP is used by web browsers download managers and other applications which exchange data with web servers i e which work with the Internet You can configure SpIDer Gate to completely disable monitoring of incoming or outgoing traffic compose a list of applications whose HTTP traffic should always be checked or exclude certain applications from being monitored By default SpIDer Gate blocks all incoming malware objects URL filtering of malicious and unreliable Web sites is also enabled by default SpIDer Gate resi
57. and line mode then you can specify settings of the current scanning session and list objects for scanning as additional parameters This mode provides automatic activation of Scanner according to schedule To run scanning from command line Enter a command in the following format lt path_to_program gt drweb32w lt objects gt lt switches gt The list of objects for scanning can be empty or contain several elements separated with blanks The most commonly used examples of specifying the objects for scanning are given below e FAST perform an express scan of the system for more information on the express scan mode see Scan Modes e FULL perform a full scan of all hard drives and removable data carriers including boot sectors e LITE perform a basic scan of random access memory boot sectors of all disks and startup objects Switches are command line parameters that specify program settings If no switches are defined scanning is performed with the settings specified earlier or with the default settings if you have not changed them Each switch begins with a forward slash character and is separated with a blank from other switches A AN T v A A 4 Dr Web Scanner 4 5 Console Scanner Dr Web Security Space also includes Console Scanner that provides advanced settings A Console Scanner moves suspicious files to Quarantine To run Console Scanner Enter the following command lt
58. and neutralized 19 Ta J 1 aX 2 Installing Dr Web Security Space 20 2 Installing Dr Web Security Space Before installing the program we strongly recommend to e install all critical updates released by Microsoft for the OS version used on your computer they are available at the company s updating web site at http windowsupdate microsoft com e check the file system with the system utilities and remove the detected defects e close all active applications Dr Web Security Space is not compatible with other anti virus software Installing two anti virus programs on one computer may lead to a system crash and the loss of important data To begin installing Dr Web Security Space on your computer do one of the following e Execute the file if supplied as a single executable file e Insert the company disk into the CD DVD drive If autorun is enabled the installation procedure will start automatically If autorun is disabled run the executable file of the distribution kit manually Follow the dialog windows of the installation wizard At any stage of the installation before the files are copied onto the computer you can return to the previous stage by clicking Back To continue installation click Next To abort installation click Cancel Ta 1 ax 2 Installing Dr Web Security Space 21 2 1 Installation Procedure Only a user with administrative privileges can install Dr W
59. anner engine virus bases information is written during program launch and modules update Information on threats detection License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration To view Event Log 1 2 On the Control Panel select Administrative Tools Event Viewer In the tree view select Application The list of events registered in the log by user applications will be opened The source of Dr Web for Outlook messages is the Dr Web for Outlook application 7 4 2 Debug Text Log The following information can be registered in the Dr Web for Outlook text log License validity status Malware detection reports per each detected malicious object Read write errors or errors while scanning for archives or password protected files parameters of program modules Scanner engine Dr Web virus databases Core failures License expiration notifications A message is registered in 30 15 7 3 2 and 1 days before expiration 99 Ta J i ax 7 Dr Web for Outlook 100 Enabling the program logging in the Log file decreases server performance therefore it is recommended to enable logging only in case of errors occurrence in operation of Dr Web for Outlook To configure logging 1 On Dr Web Anti virus tab click Log The window of log settings will open 2 Specify the detailing level 0 5 for logging e level O corresponds to disable logging e
60. at are not accessible to unprivileged user including system folder are not scanned To run Scanner under an administrative account select the Run scanning process with administrative rights checkbox vw S PRR aH B G Main Actions Exclusions Log Restore defaults E id Use sound alerts E Automatically apply actions to threats E C Turn off computer after scanning E Interrupt scanning when switching to battery mode V If required limit the use of computer resources to 50 recommended v Run scanning process with administrative rights 62 Ta 1 ax 4 Dr Web Scanner 63 Actions Page To set reaction on threat detection 1 Select the Actions tab in the Scanner settings window In the Infected objects drop down list select the program s action upon detection of an infected object Select the program s action upon detection of an incurable object in the Incurable objects drop down list The range of actions is the same as for infected objects but the Cure action is not available da The Move to quarantine action is the best in most cases In the Suspicious objects drop down list select the program s action upon detection of a suspicious object fully similar to the previous paragraph Similar actions should be specified for detection of objects containing Adware Dialers Jokes Riskware and Hacktools The same way the automatic action
61. ate a new file with this line and save it as test com When you attempt to execute an EICAR file while SpIDer Guard is running in the optimal mode the operation is not terminated and d the file is not processed as malicious since it does not pose any actual threat to your system However if you copy or create such a file in your system then it is detected by SpIDer Guard and moved to Quarantine by default 17 A AN T v A A 1 Introduction 18 1 6 Detection Methods Dr Web anti virus solutions use several malicious software detection methods simultaneously and that allows them to perform thorough checks on suspicious files and control software behaviour 1 The scans begin with signature analysis which is performed by comparing file code segments to the known virus signatures A signature is a finite continuous sequence of bytes that is necessary and sufficient to identify a specific virus To reduce the size of the signature dictionary Dr Web anti virus solutions use signature checksums instead of complete signature sequences Checksums uniquely identify signatures which preserves the correctness of virus detection and neutralization The Dr Web virus databases are composed in such a way that some entries can be used to detect not just specific viruses but whole classes of threats 2 On completion of signature analysis Dr Web anti virus solutions use the unique Origins Tracing method to detect new and mo
62. b Help amp SplDer Guard e SplDer Mail SplDer Gate Parental Control Firewall Updater G Scanner Disable Self protection Tools gt vyv v v v User mode The About item opens a window showing information about your version of Dr Web Security Space The Register license item starts the registration procedure for receiving a key file from Doctor Web servers Ta i ax 3 Getting Started 39 The My Dr Web item opens your personal web page on the Doctor Web official website This page gives information about your license e g period of usage serial number and allows you to renew your license contact Technical Support etc The Help item opens the Dr Web Security Space help system The SpIDer Guard SpIDer Mail SpIDer Gate Parental Control and Update items allow you to access the management and settings features of the corresponding components The Scanner item runs Dr Web Scanner The Disable Enable Self protection item allows you to disable enable protection of Dr Web Security Space files registry keys and processes from damage and deletion You cannot disable self protection when in User mode It is not recommended to disable self protection If any problems occur during operation of defragmentation programs disable self protection temporarily To disable self protection e select Disable self protection in the SpIDer Agent menu e enter the text displayed in the picture
63. blocked Rule name The name of the applied rule A AN 1 v A A 10 Dr Web Firewall 148 Interface The interface used to transmit the packet Packet data Packet details The Logging mode setting of the rule determines the amount of stored data On this page you can save the information to a file or clear the log To save packet filter log Click Save then enter the file name where to store the log To clear packet filter log Click Clear All information will be deleted from the log Ta J i ax 11 Automatic Updating 11 Automatic Updating Anti virus solutions of Doctor Web use Dr Web virus databases to detect computer threats These databases contain details and signatures for all virus threats known at the moment of the product release However modern virus threats are characterized by high speed evolvement and modification Within several days and sometimes hours new viruses and malicious programs emerge To mitigate the risk of infection during the licensed period Doctor Web provides you with regular updates to virus databases and product components which are distributed via the Internet With the updates Dr Web Security Space receives information required to detect new viruses block their spreading and sometimes cure infected files which were incurable before From time to time the updates also include enhancements to anti virus algorithms and fix bugs in software and documentation Dr
64. check box the installation wizard will inform you of any possible incompatibility between Dr Web and other firewalls installed on your computer and offer to uninstall or disable them If other firewalls are installed on your computer it is recommended to click Cancel and terminate installation delete or deactivate other firewalls and then continue with the installation To continue installation select the I confirm that no other firewall is installed on this computer check box and click Next 6 The installation program will bring up a warning window requesting a key file license or demo required for the program s operation If a key file is present on your hard drive or on removable media click Browse select the key file and click Next 2 Installing Dr Web Security Space 26 Select the option which best suits your situation Dr Web Security Space 7 0 can only be used if you have a valid key file which regulates your rights to use the software Specify the path to an available valid key file Path to key file C Users admin Desktop drweb32 key Receive key file during installation Select this option to run the registration procedure during installation if you have a serial number or would like to receive a demonstration key file D Receive key file later If you select this option Dr Web Security Space 7 0 will not be updated until you obtain a license or demo key file If no key file is available but
65. cion nes Directon any Bthemet _ Local MAC MY_COMPUTER MAC B IPv4 x amp B Remote IP x Mask 192 168 1 0 255 255 255 0 B Rulename Allow transit packets Description n a Logging No logging A ox cance If you do not specify any fields within the IPv4 header then the rule will be passed for any packet that contains an IPv4 header and was sent from a physical address of the local computer Ta ww ys 10 Dr Web Firewall 138 10 3 4 Advanced settings On the Advanced settings page you can select a default action which Dr Web Firewall should execute when it detects a new unknown to the firewall connection attempt and configure advanced settings These rules are applied on the application level Advanced settings Dr Web Firewall operation mode e Allow unknown connections Training Mode create rules for known applications automatically Advanced k Restore defaults aaa aa amp Block unknown connections F Allow loopback interface E Display notifications on separate desktop in full screen mode E Send new rules to Doctor Web Privacy statement by Doctor Web To set operation mode 1 In the Dr Web Firewall settings window select Advanced 2 Select one of the following operation modes e Interactive learning mode e Default Training mode create rules for known applications automatically learning mode when rule
66. ckets that do not match active connections according to the TCP protocol specification This option helps protect your computer from DoS attacks denial of service resource scanning data injection and other malicious operations It is also recommended to enable stateful packet filtering when using complex data transfer protocols such as FTP SIP etc Clear this checkbox to filter packets without regard to state of TCP sessions Management of Select this checkbox to ensure correct fragmented IP processing of large amounts of data The packets maximum transmission unit MTU may vary for different networks therefore large IP packets may be received fragmented When this option is enabled Dr Web Firewall applies the rule selected for the first fragment of a large IP packet to all other fragments Clear this checkbox to process fragmented packets independently Packet Filter Rulesets The New packet ruleset or Edit ruleset window lists packet filtering rules for the selected rule set You can configure the list by adding new rules or modifying existing rules and the order of their execution The rules are applied according to their order in the set 10 Dr Web Firewall Rule name EAPol Authenticate via EAPoL 802 1x PPPoE Discovery Stage PPPoE Session Stage GRE Allow to establish VPN connections using GRE protocol TCP Authorize Identification Authorize most common Intern
67. components you may proceed to the next step and select the Update during installation checkbox 2 Installing Dr Web Security Space 30 pro F 12 13 14 15 Space Additional Installation Parameters E d Choose some additional installation parameters Updating virus databases and program components during installation ensures that your during installation tection environment is up to date from the first express scan which is performed Update during installation A window will open informing you that the program is ready to be installed Click Install to start the installation process or Back to change any of the installation parameters If in step 6 you selected the Receive key file during installation option the installation wizard will launch the registration procedure To receive the key file your computer should be connected to the Internet If in step 11 you selected the Update during installation check box or during default installation after receiving the key file virus databases and components of Dr Web Security Space will be updated automatically After installation is complete Scanner will perform an express scan Avert any detected threats and close Scanner after the scanning process Ta J 1 ax 2 Installing Dr Web Security Space 31 Scanner is not compatible with Windows Blinds an A application for adjusting Windows GUI In order for Dr W
68. d file containers e Debugging in this mode SpIDer Mail logs all details on its activity This may result in considerable log growth and reduce system performance Ta J 1 ax 6 SpIDer Mail 87 The SpIDer Mail log is stored in the netfilter log file that is located in folder Y allusersprofile Application Data Doctor Web Logs for Windows 7 Y allusersprofile Doctor Web Logs It is recommended to analyze the log file periodically Ta J N ax 7 Dr Web for Outlook 7 Dr Web for Outlook Dr Web for Outlook plug in performs the following functions e Anti virus check of e mail attachments transferred via SMTP POP3 and HTTP protocols e Check of e mail attachments transferred via SSL encrypted connections e Spam check e Detection and neutralizing of malicious objects e Malware detection e Heuristic analysis for additional protection against unknown viruses 7 1 Configuring Dr Web for Outlook You can configure Dr Web for Outlook plug in operation and review statistics at the Microsoft Outlook mail application in the Tools gt Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 d The Dr Web Anti virus tab of Microsoft Outlook parameters are active only if user has permissions to change these settings On Dr Web Anti Virus tab the current protection status is displayed enabled disabled and it prov
69. d network solutions malicious programs malware of different kinds meant to strafe users become more and more widespread Their development began together with computer science and facilities of protection against them progressed alongside Nevertheless there is still no common Classification for all possible threats due to their unpredictable development character and constant improvement of applicable technologies Malicious programs can be distributed through the Internet local area networks e mail and portable data mediums Some of them rely on the user s carelessness and lack of experience and can be run in completely automatic mode Others are tools controlled by a computer cracker and they can harm even the most secure systems This chapter describes all of the most common and widespread types of malware against which products of Doctor Web are aimed Classification of Computer Threats Computer viruses This type of malicious programs is characterized by the ability to implement its code into the executable code of other programs Such implementation is called infection In most cases the infected file becomes a virus carrier itself and the implemented code does not necessarily match the original Most viruses are intended to damage or destroy data on the system Viruses which infect files of the operating system usually executable files and dynamic libraries and activate Ta J i ys Appendices upon launching of
70. des in the main memory of the computer and automatically launches upon Windows startup You can disable the automatic launch mode in SpIDer Agent settings 8 1 Managing SpIDer Gate SpIDer Gate can be managed via the SpIDer Gate item in the context menu of the SpIDer Agent icon see SpIDer Agent The Settings item provides access to the major part of adjustable parameters of the program The Statistics item opens a window containing information about the SpIDer Gate performance within the current session The Disable Enable item allows to start stop SpIDer Gate 102 Ta 1 ax 8 SpIDer Gate 103 About Register license My Dr Web Help amp SpIDer Guard e SpIDer Mail SplDer Gate Statistics 15 Control Settings Firewall Updater 8 Scanner Disable Disable Self protection Tools User mode A Settings item is not available in User mode 8 2 SpIDer Gate Settings The default settings are optimal for most cases They should not be changed without necessity To change the SpIDer Gate Settings 1 Make necessary changes on the pages of the SpIDer Gate Settings window 2 For more information about settings on a page click the Help 9 button 3 Click Apply to save changes immediately 4 When you finish adjusting the settings click OK to save changes or Cancel to reject them 8 SpIDer Gate Actions Actions Application filter Check mode Proxy
71. dified viruses that use known infection mechanisms Thus Dr Web users are protected against viruses such as notorious blackmailer Trojan Encoder 18 also known as gpcode In addition to detecting new and modified viruses the Origins Tracing mechanism considerably reduces the number of incidents of false triggering of the Dr Web heuristics analyzer 3 The detection method used by the heuristics analyzer is based on certain knowledge about the attributes that characterize malicious code Each attribute or characteristic has a weight coefficient that determines the level of its severity and reliability Depending on the sum weight of a file the heuristics analyzer calculates the probability of unknown virus infection As with any system of hypothesis testing under uncertainty the heuristics analyzer may commit type I or type II errors i e it may omit viruses or raise false alarms While performing any of the aforementioned checks Dr Web anti virus solutions use the most recent information about known malicious software As soon as Doctor Web Virus Laboratory Ta J N ax 1 Introduction experts discover new threats they issue an update on virus signatures behaviour characteristics and attributes In some cases updates can be issued several times per hour Therefore even if a brand new virus passes through the Dr Web resident guards and penetrates the system then after update the virus is detected in the list of processes
72. e Ignore Delete and Move to quarantine actions are similar to those of the Scanner All actions with files are described in Appendix B Computer Threats and Neutralization Methods chapter To change the default actions in SpIDer Guard 1 In the SpIDer Guard Settings window select the Actions tab 5 SpIDer Guard 73 Scanning Actions Actions for detected threats a I Infected files Incurable files Suspicious files Adware Dialers Jokes Cure recommended Move to quarantine recommended Move to quarantine recommended Move to quarantine recommended Move to quarantine recommended Ignore recommended Hacktools Ignore recommended Riskware Ignore recommended In the Infected objects drop down list choose the program s action upon detection of an infected object Cure action is recommended In the Incurable objects drop down list choose the program s action upon detection of an incurable object Move to quarantine action is recommended In the Suspicious objects drop down list choose the program s action upon detection of a suspicious object Move to quarantine action is recommended In the Adware and Dialers drop down lists choose the program s action upon detection of dangerous files Move to quarantine action is recommended The same procedure is used when setting the program s actions upon detection of objects c
73. e session with administrator privileges if such session is simultaneously active Internet Explorer 10 Dr Web Firewall 115 Dr Web Firewall has detected network activity Application name Application path Digital signature Endpoint Port Direction Internet Explorer C program files internet explorer jexplore exe Microsoft Corporation tep 65 55 17 26 80 www http Outbound There are no rules for this application To process connection attempts 1 To make a decision consider the following information displayed in the notification Application name Application path Digital signature Endpoint Port Direction The name of the application Ensure that the Path to the application executable file corresponds to its usual location The full path to the application executable file and its name Digital signature of the application The protocol used and the network address the application is trying to connect to The network ports used for the connection attempt Connection type Ta 1 ax 10 Dr Web Firewall 2 Once you make a decision select an appropriate action e To block this connection once select Block e To allow this connection once select Allow e To open a window where you can create a new application filter rule select Create new rule In the opened window you can either choose one of the predefined rules or create your rule for applicat
74. eb Security Space There are two installation modes of Dr Web Security Space 1 The background mode 2 The usual mode Background Installation To install Dr Web Security Space in the background mode enter in the command line the executable file name with necessary parameters these parameters affect logging reboot after installation and Dr Web Firewall installation No reboot No logging LS Pisa Reboot No logging S V qn REBOOT Force or S V qn REBOOT E No reboot Logging S V qn lv lt path gt drweb SeCEUDMlOcNG Reboot Logging S V qn lv lt path gt drweb setup log REBOOT E or S V qn 1lv lt path gt drweb setup log REBOOT Force Dr Web Firewall S V qn INSTALL FIREWALL 1 installation Reboot REBOOT E or 8 PP fea I NSTALL FIREWALL 1 REBOOT Force Ta 1 ax 2 Installing Dr Web Security Space 22 For example to install Dr Web Security Space with logging and reboot after installation execute the following command C Documents x86 exe log REBOOT F and Settings drweb 700 win space S V qn 1v Stemp s drweb setup If particular language of the installation is required use the following additional parameter L lt language_code gt For example L1049 S V qn RI The list of languages EBOOT Force 1026 Bulgarian 2052 Chinese Simplified 1028 Chinese Traditional 1
75. eb Security Space to operate correctly you must disable the option to change the Dr Web interface in the Windows Blinds settings To do this add drweb32w exe to the list of excluded applications 16 The program will ask you to reboot the computer this is required to complete the installation 2 2 Reinstalling and Removing Dr Web Security Space To modify repair or remove an installed version of Dr Web Security Space start the installation wizard In the opened window 1 Select Modify to change the set of installed components and click Next The Custom Installation window will open To remove all the components select Remove 2 To remove the Dr Web Security Space or to change the set of installed components you must disable Self Protection by entering the digits shown in the picture or password if you set Protect Dr Web settings by password flag on Advanced tab in SpIDer Agent settings 3 At the end of the installation reboot the computer when prompted You can start the modification repair or removal procedure via the standard Windows utility Add Remove Programs 2 Installing Dr Web Security Space 32 Program Maintenance Modify repair or remove the program Custom Selection dialog in which you can change the way features are Modify amp Change which program features are installed This option displays the installed Remove Dr Web Security Space 7 0 from your computer Ta 1
76. ed e Rescan scan the file one more time If during rescan file is detected as clean Quarantine Manager will suggest to restore it e Remove delete the file from the quarantine and from the system Right click anywhere in the table to access the following options e Submit file to Doctor Web Laboratory send a file to Doctor Web Virus Laboratory for checking e Copy hash to clipboard copy hash of the file computed using MD5 or SHA256 function to clipboard To manage several objects simultaneously select necessary objects in the quarantine window and select necessary action in the drop down menu In the bottom of the quarantine window the detailed information about selected items is displayed oR To configure Quarantine parameters click the Settings button in the Quarantine window The Quarantine properties window will be opened In this window you can change the following parameters e In the Set quarantine size section you can configure the amount of disk space for Quarantine folder e In the View section you can set the Show backup files checkbox to display backup copies of Quarantine files in the object table Backup copies are created automatically during moving files to the Quarantine Even if Quarantine files are kept permanently their backup copies are kept temporarily 3 5 Anti virus Network This section allows managing Dr Web Security Space on other computers of your network To access Dr Web Secu
77. ed in it Switches begin with the forward slash character and are separated with blanks as other command line parameters The Scanner and Console Scanner Parameters AA apply actions to detected threats automatically Only for Scanner AR check archives Option is enabled by default AC check installation packages Option is enabled by default AFS use forward slash to separate paths in archive Option is disabled by default ARC lt ratio gt maximum archive object compression If the compression rate of the archive exceed the limit scanner neither unpacks not scans the archive unlimited ARL lt eve gt maximum archive level unlimited ARS lt size gt maximum archive size If the archive size exceed the limit scanner neither unpacks nor scans the archive unlimited KB ART lt size gt minimum size of file inside archive beginning from 152 Ta J i ax Appendices 153 which compression ratio check will be performed unlimited KB ARX lt size gt maximum size of objects in archives that should be checked unlimited KB BI show information on Dr Web virus databases Option is enabled by default DR scan folders recursively i e scan subfolders Option is enabled by default E lt engines gt perform scanning in specified number of threads FAST perform an express scan of the system For Scanner only FL lt path gt scan
78. efault the program automatically intercepts all calls of any mail programs on your computer to POP3 servers on port 110 to SMTP servers on port 25 to IMAP4 servers on port 143 and to NNTP servers on port 119 Any incoming messages are intercepted by SpIDer Mail before they are received by the mail client They are scanned for viruses with the maximum possible level of detail If no viruses or suspicious objects are found they are passed on to the mail program in a transparent mode as if it was received immediately from the server Similar procedure is applied for outgoing messages before they are sent to servers By default the program s reaction upon detection of infected incoming messages as well as messages that were not scanned e g due to their complicated structure is as follows e Messages infected with a virus are not delivered the mail program receives an instructions to delete this message the server receives a notification that the message had been received this action is called deletion of the message e Messages with suspicious objects are moved to the quarantine folder as separate files the mail program receives a notification about this this action is called moving the message e Messages that were not scanned and safe messages are passed on e All deleted or moved messages are also deleted from the POP3 or IMAP4 server Infected or suspicious outgoing messages are not sent to the server a user is notified
79. ening TCPv6 m 1 0 O bytes Obytes Listening TCPV6 m 1 0 O bytes O bytes 4 Z wininit exe 1068 F Listening TCPv4 0 0 0 bytes 0 bytes Listening TCPv6 n GE 0 bytes 0 bytes For each application the following information on active connection is available Name The name of the application Direction The party which initiated the connection e Inbound the rule is applied when someone from the network attempted to connect to the application on you computer e Outbound the rule is applied when the application on your computer attempted to connect to the network e Listening the rule is applied when the application on your computer is awaiting for a connection attempt from the network Protocol The protocol used to transmit data Local address The protocol and host address from which comes an attempt to connect Ta i ax G 10 Dr Web Firewall 144 Remote address The protocol and host address to which the connection is attempted Sent The number of bytes sent through this connection Received The number of bytes received through this connection In the active connections statistics window you can terminate any active process by right clicking the process in the table and selecting Terminate process To terminate any active process you need administrative privileges Otherwise you can terminate only those processes that are run under your account From the context menu you
80. er its settings are not available and the e mails check for spam is not performed Dr Web for Outlook checks e mails for spam by means of Dr Web Anti spam and filters the messages according to the user defined settings To configure the check for spam in the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 click Spam filter The window with spam filter settings will be opened The Spam filter window will be available only for users with A administrative rights For Windows Vista and later operating systems after clicking Spam filter e if UAC is enabled administrator is requested to confirm program actions user without administrative rights is requested to enter accounting data of system administrator e if UAC is disabled administrator can change program settings user does not have the access to change program settings 7 3 1 Configuring Spam Filter To configure spam filter 1 To run spam checks select the Check for spam checkbox 2 You can add special text to the spam message header by set the Add prefix to message header checkbox The added Ta 1 ax 7 Dr Web for Outlook 94 prefix text is specified to the right of the flag The default prefix is SPAM 3 The checked messages can be marked as read in the message options To mark messages as
81. ers you do not have to register the serial number again you can use the key file received 14 Ta i aX 1 Introduction during the first registration d Demo key file can be used only on that computer on which it was registered Subsequent Registration If a key file is lost you must register again by inputting the personal data you provided during the previous registration You may use a different e mail address in which case the key file will be sent to the address specified When recovering a demo key file you will receive the same key file as you received during the previous registration The number of times you can request a key file is limited One serial number can be registered no more than 25 times If requests in excess of that number are sent no key file will be delivered To receive a lost key file contact Technical Support describe your problem in detail and state personal data you entered when you registered the serial number If no valid key file is found either for a license or a demo the functionality of the program is blocked 1 4 3 Renewing Registration When your license expires or the security of your system is reinforced you may need to update the license The new license should be registered with the product Dr Web Security Space supports hot license updates without stopping or reinstalling the product Ta J ax N 1 Introduction To renew license key files
82. ess of the server into the Server address entry field and the port number to which a connection is made into the Server port entry field and click Add 4 Repeat these actions for each resource 5 Click OK Ta J N ax 6 SpIDer Mail 86 In the settings of the mail client instead of the address and port of A POP3 SMTP IMAP4 NNTP server specify the address localhost port_SpIDer_Mail where port_SpIDer_Mail is the address assigned to an appropriate POP3 SMTP IMAP4 NNTP server Secure Connections You can enable scanning of data transmitted via secure protocols such as POP3S SMTPS or IMAPS To check such data select the Check encrypted traffic POP3S SMTPS IMAPS checkbox under Secure Connections If your client application a mail client that uses secure connections does not refer to the default Windows system certificate storage then you need to export Doctor Web SSL certificate Log Page On this page you can select the mode of keeping records in the log file e Standard Suitable for most cases in this mode SpIDer Mail logs the following most important actions only e Time of updates e Time of SpIDer Mail starts and stops e Detected errors and infections e Extended in this mode SpIDer Mail logs the most important actions and the following additional data e Mail interception parameters e Names of scanned objects e Names of packers e Contents of scanned complex objects archives mail boxes an
83. et services Authorize name resolution DNS KB951748 Authorize name resolution DNS Allow NetBIOS BOOTP DHCP s teavmn VIE JE JE 1E JE JE JE ITTF vr For each rule in the set the following information displays Enabled Execution states for the rule Action The action for Dr Web Firewall to perform when the packet is intercepted e Block packets e Allow packets Rule name The rule name Direction The packet sender e the rule is applied when packet is received from the network e the rule is applied when packet is sent into the network from your computer e the rule is applied regardless of packet transfer direction Log The logging mode for the rule This parameter defines which information is stored in the Dr Web Firewall log 133 Ta 1 ax 10 Dr Web Firewall 134 e Log headers the packet header only e Entire packet the whole packet e No logging no information is logged Description The rule description You can configure the list by adding new rules for the application or modifying existing rules and the order of their execution The rules are applied according to their order in the set To configure rulesets 1 ile If you select to create or edit an existing rule set on the Packet filtering settings page in the opened window specify the name for the rule set Use the fol
84. every copy of the virus This means that such viruses do not have byte signatures Stealth viruses perform certain actions to disguise their activity and thus conceal their presence in an infected object Such viruses gather the characteristics of a program before infecting it and then plant these dummy characteristics which mislead the scanner searching for modified files Viruses can also be classified according to the programming language in which they are written in most cases it is assembler high level programming languages scripting languages etc or according to the 164 Ta J i ys Appendices affected operating systems Computer worms Worms have become a lot more widespread than viruses and other malicious programs recently Like viruses they are able to reproduce themselves and spread their copies but they do not infect other programs A worm infiltrates the computer from the worldwide or local network usually via an attachment to an e mail and distributes its functional copies to other computers in the network It can begin distributing itself either upon a user s action or in an automatic mode choosing which computers to attack Worms do not necessarily consist of only one file the worm s body Many of them have an infectious part the shellcode which loads into the main memory RAM and then downloads the worm s body as an executable file via the network If only the shellcode is present in the
85. ger The Quarantine section of Dr Web Security Space serves for isolation of files that are suspicious as malware Quarantine folders are created separately on each logic disk where suspicious files are found When infected objects are detected at the portable data carrier accessible for writing the Quarantine folder will be created on the data carrier and infected objects will be moved to this folder To open Quarantine Manager click the SpIDer Agent E icon in the notification area select Tools and then select Quarantine Manager All threats Files 1 Files Mail Web Other ma Cee oat eicar_com zip i ested 06 04 2010 15 41 O BUILTIN AamnHncTpaTopei i ed 06 04 2010 15 41 NT AUTHORITY SYSTEM Ti ed 06 04 2010 15 41 e 184 Bytes Time quarantined 06 04 2010 15 41 s 184 Bytes Keep until permanent eat EICAR Test File NOT a Virus Anplcation Scanner In the center of the window the table with the quarantine state is displayed The following columns are included e Name name list of the objects in the quarantine e Threat malware classification which is assigned by Dr Web Security Space during automatic moving to the quarantine e Path full path of the object before moving to the quarantine 49 Ta J 1 aX 3 Getting Started 50 The bottom pane of the window displays detailed information about the selected objects You can also display this information in
86. ial method of protection against such attacks used in the Dr Web products for mail servers Sniffing a type of network attack also called passive tapping of network It is unauthorized monitoring of data and traffic flow performed by a packet sniffer a special type of non malicious program which intercepts all the network packets of the monitored domain Spoofing a type of network attack when access to the network is gained by fraudulent imitation of connection Phishing an Internet fraud technique which is used for stealing personal confidential data such as access passwords bank and identification cards data etc Fictitious letters supposedly from legitimate organizations are sent to potential victims via spam mailing or mail worms In these letters victims are offered to visit phony web sites of such organizations and confirm the passwords PIN codes and other personal information which is then used for stealing money from the victim s account and for other crimes Vishing a type of Phishing technique in which war dialers or VoIP is used instead of e mails 168 Ta J N ah Appendices Actions Applied to Threats There are many methods of neutralizing computer threats Products of Doctor Web combine these methods for the most reliable protection of computers and networks using flexible user friendly settings and a comprehensive approach to security assurance The main actions for neutrali
87. ide corporations Dr Web antivirus solutions are well known since 1992 for continuing excellence in malware detection and compliance with international information security standards State certificates and awards received by the Dr Web solutions as well as the globally widespread use of our products are the best evidence of exceptional trust to the company products We thank all our customers for their support and devotion to the Dr Web products y AN aX 1 N Table of Contents Introduction 1 1 About This Manual 1 2 Document Conventions 1 3 System Requirements 1 4 Licensing 1 4 1 Key File 1 4 2 Get Key File 1 4 3 Renewing Registration 1 5 How to Test Anti virus 1 6 Detection Methods Installing Dr Web Security Space 2 1 Installation Procedure 2 2 Reinstalling and Removing Dr Web Security Space 2 3 Obtaining Key Files Getting Started 3 1 SpIDer Agent 3 2 General Settings 3 3 License Manager 3 4 Quarantine Manager 3 5 Anti virus Network Dr Web Scanner 4 1 Scanning Your System 4 2 Neutralizing Detected Threats 10 11 12 12 13 15 17 18 20 21 31 33 35 38 41 47 49 51 54 56 59 4 y AN aX 4 3 Scanner Settings 4 4 Scanning in Command Line Mode 4 5 Console Scanner 4 6 Automatic Launch of Scanning SpIDer Guard 5 1 Managing SpIDer Guard 5 2 SpIDer Guard Settings SpIDer Mail 6 1 Managing SpIDer Mail 6 2 SpIDer Mail Settings Dr Web for Outl
88. ided the access to the following program functions e Log allows to configure the program logging e Check attachments allows to configure the e mails check and to specify the program actions for the detected malicious objects e Spam filter allows to specify the program actions for spam and to create black and white lists of e mail addresses 7 Dr Web for Outlook 89 e Statistics allows to review the number of checked and processed objects General e Dr Web Anti virus enabled Anti virus and anti spam check Infected attachments may present a threat to your information security Check attachments Spam messages are unsolicited bulk e mails Statistics mm Checked Clear Infected Moved to quarantine Suspicious Deleted Cured Skipped Not checked Spam messages Ta J N ax 7 Dr Web for Outlook 7 2 Treat Detection Dr Web for Outlook uses different detection methods The infected objects are processed according to the actions defined by user the program can cure the infected objects remove them or move them to Quarantine to isolate them from the rest of the system 7 2 1 Types of Threats Dr Web for Outlook detects the following computer security threats in the mail e Infected objects e Bomb viruses in files or archives e Adware Hacktools Dialer programs Joke programs Riskware e Spyware Trojan horses Trojans e Computer worms and viruse
89. ins the symbol it will be considered a domain name In this case all resources on the domain will be filtered If the string also contains the symbol e g example com test then the part to the left of it will be considered the domain name and the part to the right will be allowed restricted on the domain e g example com test 11 template example com test22 etc will be filtered e Click Add The address will be added to the list above The address may be converted to a more simple structure e g http www example com will be converted to www example com To delete a web resource from the list select it and click Delete Local Access Page On this page you can allow or block access to data on portable data storages USB flash floppy CD DVD ZIP drives etc and also limit access to specific folders and files on your computer Also you can allow or block data transfer over the network 112 9 Parental Control 113 URL filter Local access e Local access Local access LPF Using portable data storage devices USB flash floppy CD DVD ZIP drives etc S Allow Deny Data transfers via local home or office networks and Internet Allow Deny Access to user files and folders Unlimited Restrict access to the following objects To configure list of restricted objects 1 In the Access to user files and folders group select Restrict access to the selected objects
90. ion e Internet Explorer The following network access problems were detected There are no rules for this application You can allow block or customize application network access You can choose either one of predefined rules or create your own application rule Application name internet Explorer Application path C program files internet explorer jexplore exe Digital signature Microsoft Corporation Address tep 207 46 16 233 Port 80 www http Direction Outbound Apply predefined rule Allow network connection for application on port 80 www http Create custom rule 3 Click OK Dr Web Firewall executes the selected action and closes the notification window In cases when connection was initiated by a trusted application an application with existing rules but this application was run by an unknown parent process a corresponding notification will be prompted 116 10 Dr Web Firewall nslookup Dr Web Firewall has detected network activity Application name nslookup Application path C windows system32 nslookup exe Digital signature Microsoft Corporation Endpoint udp 192 168 109 2 Port 53 domain Direction Outbound To set parent processes rules 1 Consider the information about parent process displayed in the notification e To block this connection once select Block e To allow this connection once select Allow e To open a window where you can create a
91. ions in this group Settings Advanced Components Prevent suspicious actions E Protect the HOSTS system file Update E Protect critical system objects Advanced E Block applications from writing to disk using low level functions Self protection parameters Fa V Block user activity emulation Py This option prevents any changes in Dr Web operation except those made manually by user Doctor Web certificate Password protection E Enable Remote Control Change password E Protect Dr Web settings by password Change password Doctor Web Certificate You may need to scan data transmitted in accordance with SSL protocol For instance you can set SpIDer Gate to check encrypted data transmitted via HTTPS protocol or set SpIDer Mail to receive and send messages via POP3S SMTPS or IMAPS These protocols use encrypted SSL connections In order for Dr Web Security Space to scan such encrypted traffic and maintain transparent integration with some browsers and mail clients that do not refer to the Windows system certificate storage it may be necessary to import Doctor Web SSL certificate into the application certificate storages To save the certificate from the system storage for future use in third party applications click Export and select a convenient folder Ta 1 ax 3 Getting Started 46 Password protection Here you can configure the following options e Allow remote access to Dr Web Sec
92. it In Additional tasks group you can configure SpIDer Guard parameters to check the following objects e Executables of running processes regardless of their location e Installation files e Files on network drives e Files and boot sectors on removable devices These parameters are applied in any scan mode Also you can select Block autoruns from removable media check Ta J 1 aX 5 SpIDer Guard 72 box to disable autoplay option for portable data storages such as CD DVD flash memory etc This option helps to protect you computer from viruses transmitted via removable media If any problem occur during installation with autorun option it is recommended to remove Block autoruns from removable media flag Exclusions Page On this page folders and files to be excluded from checking are specified In the Exluded folders and files field the list of folders and files to be excluded from scanning can be set These can be the quarantine folder of the anti virus some program folders temporary files swap files etc To add a file folder or mask to the list type its name into the entry field and click Add To enter an existing file name or folder you can click Browse to the right and select the object in a standard file browsing window To remove a file or folder from the list select it in the list and click Remove Actions Page On this page you can adjust SpIDer Guard reaction to infected objects The Cur
93. ks You can list custom websites for which you want to deny or grant access regardless of other restrictions Blacklist White ist Allow access only to the specified sites To set access to web resources Choose one of the modes e Allow access to all sites There are no restrictions in this mode e Block the sites specified In this mode you can select the types of blocked web sites Besides you can set lists of blocked and allowed web sites regardless of restrictions by categories e Allow access only to specified sites In this mode access to all resources except those in White list will be restricted d Lists of web sites in all categories are constantly updated by the Automatic Updating Module along with virus databases Add the domain names which should be blocked to the Address bar content list 111 Ta AN ys 9 Parental Control To create a list of domain names e Enter a domain name or part of it into the field If you wish to add a specific web site enter its full address e g www example com Access to all resources on that web site will be allowed restricted If you wish to allow restrict access to web sites which contain certain text in their address name enter that text into the field e g example means that access to example com example test com test com example test example222 ru etc will be allowed restricted If the string conta
94. level 5 means the maximum level of details for the program logging By default logging is disabled 3 Specify the maximum log file size in kilobytes 4 Click OK to save changes The Log window will be available only for users with administrative A rights For Windows Vista and later operating systems after clicking Log e if UAC is enabled administrator is requested to confirm program actions user without administrative rights is requested to enter accounting data of system administrator e if UAC is disabled administrator can change program settings user does not have the access to change program settings To view program log To open the text log click Show in folder Ta J i ax 7 Dr Web for Outlook 7 5 Statistics In the Microsoft Outlook mail application in the Tools gt Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 statistic information about total number of objects which have been checked and treated by the program is listed These scanned objects are classified as follows e Checked total number of checked messages e Infected number of messages with viruses e Suspicious number of messages presumably infected with a virus upon a reaction of the heuristic analyzer e Cured number of objects successfully cured by the program e Not checked number of objects which c
95. ll files on drives files in certain directories files by certain mask etc DelWin deletes files vital for the operation of Windows OS FormatC formats drive C FormatAll formats all drives KillMBR corrupts or deletes master boot records MBR KillCMOS corrupts or deletes CMOS memory 172 Ta J i ys Appendices Tools for network attacks Nuke tools for attacking certain known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system DDoS agent program for performing a DDoS attack Distributed Denial Of Service FDoS synonym Flooder programs for performing malicious actions in the Internet which use the idea of DDoS attacks in contrast to DDoS when several agents on different computers are used simultaneously to attack one victim system an FDoS program operates as an independent self sufficient program Flooder Denial of Service Malicious programs Adware an advertising program Dialer a dialer program redirecting modem calls to predefined paid numbers or paid resources Joke a joke program Program a potentially dangerous program riskware Tool a program used for hacking hacktool Miscellaneous Exploit a tool exploiting known vulnerabilities of an O S or application to implant malicious code or perform unauthorized actions Generic this prefix is used after another prefix describing the environment or the devel
96. low services exe outbound 127 0 Autogenerated rule Allow packets Allow services exe inbound 127 0 0 Autogenerated rule Allow packets Allow services exe outbound fe80 Autogenerated rule Allow packets Allow services exe inbound fe80 Autogenerated rule For each rule in the set the following information displays Enabled Execution states for the rule Action The action for Dr Web Firewall to perform when the connection attempt is detected e Block packets e Allow packets Rule name The rule name Connection type The party which initiates the connection e Inbound the rule is applied when someone from the network attempts to connect to the application on your computer Ta 1 ax 10 Dr Web Firewall 124 e Outbound the rule is applied when the application on your computer attempt to connect to the network e Any the rule is applied regardless of who initiate the connection Description The rule description To configure rules 1 If you select to create a new or edit an existing set of application filter rules on the Application filter settings page in the opened window specify the application for which you want the rules to apply e To add a set of rules for a user program click the Select l Iv button and select the application executable file e To add a set of rules for a process click arrow on the Select lL Iv button choose r
97. lowing options to create filtering rules e to add a new rule click New The new rules is added to the beginning of the list e to modify a rule select it and click Edit e to add a copy of a rule select the rule and click Copy The copy is added after the selected rule e to delete a rule select it and click Delete If you selected to create or edit a rule configure rule settings in the opened window Use the arrows next to the list to change the order of rules The rules are applied according to their order in the set When you finish adjusting the settings click OK to save changes or Cancel to reject them Packets with no rules in a rule set are blocked automatically except packets allowed by Application Filter rules Ta 2 ww 10 Dr Web Firewall 135 ax Packet Filter Rules To add or edit a rule 1 In the packet filter rule set creation or modification window click New or Edit This opens a rule creation or rule modification window acten oc A EAPoL 202 1x JO i Rulename EAPol Authenticate via EAPoL 802 1x Description Allows to authenticate via EAPoL 802 1x This may be used by some wireless Logging 2 Configure the following parameters Action The action for Dr Web Firewall to perform when the packet is intercepted e Block packets e Allow packets Direction The packet sender e Inbound apply the rule when packet is received from the network e Outbound
98. m or a component of another malicious program A rootkit is basically a set of utilities which a cracker installs on a system to which she had just gained access There are two kinds of rootkits according to the mode of operation User Mode Rootkits UMR which operate in user mode intercept functions of the user mode libraries and Kernel Mode Rootkits KMR which operate in kernel mode intercept functions on the level of the system kernel which makes it harder to detect Hacktools Hacktools are programs designed to assist the intruder with hacking The most common among them are port scanners which detect vulnerabilities in firewalls and other components of the computer s protection system Besides hackers such tools are used by administrators to check the security of their networks Occasionally common software which can be used for hacking and various programs that use social engineering techniques are designated as among hacktools as well Spyware This type of malicious programs is designed to perform monitoring of the system and send the gathered information to a third party creator of the program or some other person concerned Among those who may be concerned are distributors of spam and advertisements scam agencies marketing agencies criminal organizations industrial espionage agents etc Spyware is secretly loaded to your system together with some other software or when browsing certain HTML pages and advertising
99. m the file are blocked The Rename action means that the extension of the file is renamed which makes it inoperative 169 Ta J N ah Appendices Appendix C Naming of Viruses Specialists of the Dr Web Virus Laboratory give names to all collected samples of computer threats These names are formed according to certain principles and reflect a threat s design classes of vulnerable objects distribution environment OS and applications and some other features Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system In certain cases this classification is conventional as some viruses can possess several features at the same time Besides it should not be considered exhaustive as new types of viruses constantly appear and the classification is made more precise The full and constantly updated version of this classification is available at the Dr Web web site The full name of a virus consists of several elements separated with full stops Some elements at the beginning of the full name prefixes and at the end of it suffixes are standard for the accepted classification Below is a list of all prefixes and suffixes used in Dr Web divided into groups Prefixes Affected operating systems The prefixes listed below are used for naming viruses infecting executable files of certain OS s e Win 16 bit Windows 3 1 programs e Win95 32 bit Windows 95 98
100. n anti virus guard for e mail The program intercepts calls sent from mail clients to mail servers through POP3 SMTP IMAP4 NNTP protocols IMAP4 stands for IMAPv4rev1 and detects and neutralizes mail viruses before a mail message is received by the mail client or before a mail message is sent to the mail 7 Ta ww ys 1 Introduction server SpIDer Mail uses Anti spam to scan mail for spam messages Dr Web for Outlook is a plug in that checks Microsoft Outlook mail boxes for viruses and spam SpIDer Gate is an HTTP monitor By default SpIDer Gate automatically checks incoming HTTP traffic and blocks all malware objects The Parental Control component is used to restrict access to both local and web resources Dr Web Firewall protects your computer from unauthorized access and prevents vital data from leaking through networks Dr Web Updater allows registered users to receive updates of the virus database and other program files as well as automatically install them SpIDer Agent is a utility that lets you set up and manage Dr Web Security Space components Ta i ax 1 Introduction 1 1 About This Manual This User Manual describes installation and effective utilization of Dr Web Security Space You can find detailed descriptions of all graphical user interface GUI elements in the Help system of Dr Web Security Space which can be accessed from any component This User Manual describes how to ins
101. n of a non checked or malformed message Ignore action is recommended In the Adware and Dialers drop down lists choose the program s action upon detection of adware and dilers Move to quarantine action is recommended The same procedure is used when setting the program s actions upon detection of messages containing jokes riskware and hacktools Ignore action is recommended Click OK to apply changes and close the SpIDer Mail Settings window Protection against suspicious messages can be disabled if a PC is additionally protected by a constantly loaded SpIDer Guard component Additionally you can increase the default level of reliability of anti virus protection by selecting the Move to quarantine option in the Not checked messages drop down list Files with moved messages should be checked by the scanner You can enable the mode when the deleted or moved messages are immediately deleted from the POP3 IMAP4 server For this set the Delete modified messages on server check box in advanced settings 80 6 SpIDer Mail To get access to advanced settings click Options Scan options Heuristic analysis Virus activity control Check archives ISS gt dditional actions on messages Insert X AntiVirus header into messages Delete modified messages on server Is Scanning optimization options Message scan timeout 0 seconds J Maximum file size to extract o K
102. nd deletion is impossible e For files inside archives installation packages or attachments no actions are possible The detailed report on the program s operation is saved in dwscanner log file that resides in the USERPROFILE Doctor Web folder Ta 1 ax 4 Dr Web Scanner 4 3 Scanner Settings da It is recommended for Scanner to be run by a user with administrator privileges because files to which unprivileged users have no access including system folders are not scanned Default program settings are optimal for most applications and they should not be modified if there is no special need for it To configure Scanner 1 To open Scanner settings click the Settings icon on the toolbar This opens the Dr Web Scanner settings window which contains several tabs Make the necessary changes For more detailed information on the settings specified in each tab use the Help button When editing is finished click OK to save the changes made or Cancel to cancel the changes 61 Ta 1 ax 4 Dr Web Scanner Main Page On this tab you can set general parameters of Scanner operation You can enable sound notifications on particular events set Scanner to apply recommended actions to detected threats automatically and configure Scanner interaction with the operating system It is recommended to run Scanner under an account with administrative privileges Otherwise all folders and files th
103. ng process unlimited NOREBOOT cancel system reboot or shut down after scanning For Scanner only NT check NTFS streams Option is enabled by default OK display the full list of scanned objects showing OK for clean files Option is disabled by default P lt prio gt priority of the current scanning task 0 the lowest L low N general Priority by default H high M maximal PAL lt evel gt maximum pack level Value is 1000 by default RA lt file log gt append the specified file with the current scanning report By default report is not generated RP lt file log gt rewrite the specified file with the current scanning report By default report is not generated RPC lt secs gt Dr Web Scanning Engine connection timeout Timeout is 30 seconds by default For Console Scanner only Ta J 1 ax Appendices RPCD use dynamic RPC identification For Console Scanner only RPCE use dynamic RPC endpoint For Console Scanner only RPCE lt name gt use specified RPC endpoint For Console Scanner only RPCH lt name gt use specified host name for remote call For Console Scanner only RPCP lt name gt use specified RPC protocol Possible protocols Ipc np tcp For Console Scanner only QL list quarantined files on all disks For Console Scanner only QL lt ogical_drive_name gt list quarantined file
104. number PID The name of the rule applied The party which initiated the connection e Inbound someone from the network attempted to connect to the application on you computer e Outbound the application on your computer attempted to connect to the network e Any the rule was applied regardless of who initiated the connection The action Dr Web Firewall performed when the connection attempt was detected e Block packets e Allow packets The protocol IP address and the port used for the connection 145 Ta AN ash 10 Dr Web Firewall 146 On this page you can save the information to a file or clear the log To save application filter log Click Save then enter the file name where to store the log To clear application filter log Click Clear All information will be deleted from the log Ta 2 ww 10 Dr Web Firewall 147 ax 10 4 3 Packet Filter Log The packet filter log stores information on packets transmitted through all network interfaces installed on you computer if Log headers or Entire packet logging mode was set for these packets If No logging mode was set for a packet no information is stored Packet Filter journal Application Time Direction Rule name Interface journal 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes e Packet Filter 3 1 2010 2 23 5 pPC gt Inet ICMPv4 Ping other Local Area Connection
105. o a class of riskware programs These were not intended as malicious but can potentially be a threat to the system s security due to their certain features Riskware programs are not only those which can accidentally damage or delete data but also ones which can be used by crackers or some malicious programs to do harm to the system Among such programs are various remote chat and administrative tools FTP servers etc 167 Ta J N ah Appendices Below is a list of various hacker attacks and internet fraud e Brute force attack performed by a special Trojan horse program which uses its inbuilt password dictionary or generates random symbol strings in order to figure out the network access password by trial and error DoS attack denial of service or DDoS attack distributed denial of service a type of network attack which verges on terrorism It is carried out via a huge number of service requests sent to a server When a certain number of requests is received depending on the server s hardware capabilities the server becomes unable to cope with them and a denial of service occurs DDoS attacks are carried out from many different IP addresses at the same time unlike DoS attacks when requests are sent from one IP address Mail bombs a simple network attack when a big e mail or thousands of small ones is sent to a computer or a company s mail server which leads to a system breakdown There is a spec
106. on Version name arg p product Product name arg Ta yan A A Appendices 159 a path arg N 5 component J arg u user arg k password larg g proxy arg e exclude arg Product directory path This directory will be used as default directory for all components included in product Dr Web Updater will search for a key file in this directory Component name and installation folder lt Name gt lt install path gt Username for proxy server Password for proxy server Proxy server for updating lt Address gt lt port gt Component name that will be excluded from product during installation update command parameters p product arg n os component arg x selfrestart arg yes geo update type normal arg Product name If specified only this product will be updated If nothing is specified all products will be updated If components are specified only these components will be updated Components that should be updated to specified version lt Name gt lt target revision gt Reboot after updating of Dr Web Updater Default value is yes If value is set to no reboot required notification will appear Attempt to get list of IP addresses from update drweb com before updating One of the following e reset all reset revision to 0 for all components Ta 2 N ax Appendices 1
107. onsequences including security system failure Please use the Windows Add or Remove Programs utility and Windows Security Center to make sure that no other anti virus programs are installed on your computer before continuing If there is another anti virus program installed click Cancel to abort the installation remove the anti virus and run the Dr Web Security Space 7 0 Installation Wizard again If you are sure that no other anti virus software is installed select the check box below and click Next I confirm that no other anti virus software is installed on this computer 4 In the next window you will be offered to install Dr Web Firewall You can also participate in expansion of trusted applications database for Dr Web Firewall Select the Send new rules to Doctor Web checkbox to allow Dr Web Firewall to send created rules to Doctor Web Ta J 1 ax 2 Installing Dr Web Security Space 25 JE Dr Web Security Space 7 0 OO x Firewall installation E f Select the option which best suits your situation Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks Install Dr Web Firewall You can participate in expansion of trusted applications database for Dr Web Firewall Doctor Web will receive your new rules automatically Send new rules to Doctor Web eo cored 5 If in the previous step you selected the Install Dr Web Firewall
108. ontaining jokes riskware and hacktools Ignore action is recommended Click OK to apply changes and close the SpIDer Guard Settings window Ta 2 aX N 5 SpIDer Guard 74 Log Page On this page you can select the mode of keeping records in the log file e Standard in this mode SpIDer Guard logs the following most important actions only e Time of updates e Time of SpIDer Guard starts and stops e Detected errors and infections e Extended in this mode SpIDer Guard logs the most important actions and the following additional data e Names of scanned objects e Names of packers e Contents of scanned complex objects archives mail boxes and file containers It is recommended to use this mode when determining objects that SpIDer Guard checks most often e Debugging in this mode SpIDer Guard logs all details on its activity This may result in considerable log growth The SpIDer Guard log is stored in the spiderg3 log file that is located in folder allusersprofile Application Data Doctor Web Logs for Windows 7 allusersprofile o Doctor Web Logs It is recommended to analyze the log file periodically Ta J 1 ys 6 SpIDer Mail 6 SpIDer Mail By default SpIDer Mail for Windows is included into the set of installed components constantly resides in the memory and automatically reloads at Windows startup You can disable the automatic launch mode in SpIDer Agent settings By d
109. ook 7 1 Configuring Dr Web for Outlook 7 2 Treat Detection 7 2 1 Types of Threats 7 2 2 Configuring Actions 7 3 Spam Check 7 3 1 Configuring Spam Filter 7 3 2 Using Black and White Lists 7 4 Logging 7 4 1 Event Log 7 4 2 Debug Text Log 7 5 Statistics 8 SpIDer Gate 8 1 Managing SpIDer Gate 8 2 SpIDer Gate Settings 9 Parental Control 61 65 66 67 68 69 70 75 78 79 88 88 90 90 90 93 93 95 98 98 99 101 102 102 103 110 5 y AN aX 9 1 Parental Control Settings 10 Dr Web Firewall 10 1 Training Dr Web Firewall 10 2 Managing Dr Web Firewall 10 3 Firewall settings 10 3 1 Application Filter 10 3 2 Parent processes 10 3 3 Network Interfaces 10 3 4 Advanced settings 10 3 5 Restoring Defaults 10 4 Event Logging 10 4 1 Active Applications 10 4 2 Application Filter Log 10 4 3 Packet Filter Log 11 Automatic Updating 11 1 Running Updates Appendices Appendix A Command Line Parameters The Scanner and Console Scanner Parameters Dr Web Updater Command Line Parameters Appendix B Computer Threats and Neutralization Methods Appendix C Naming of Viruses Appendix D Technical Support 110 114 114 119 121 121 127 129 138 141 142 142 144 147 149 149 152 152 152 158 163 170 175 6 Ta i ax 1 Introduction 1 Introduction Dr Web Security Space provides multi level protection of RAM hard disks and removable devices against vi
110. opment method to name a typical representative of this type of viruses Such virus does not possess any characteristic features such as text strings special effects etc which could be used to assign it some specific name Silly this prefix was used to name simple featureless viruses the with different modifiers in the past 173 Ta 2 ys N Appendices Suffixes Suffixes are used to name some specific virus objects e Origin this suffix is added to names of objects detected using the Origins Tracing algorithm e generator an object which is not a virus but a virus generator e based a virus which is developed with the help of the specified generator or a modified virus In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses e dropper an object which is not a virus but an installer of the given virus 174 Ta 1 ax Appendices Appendix D Technical Support Support is available to customers who have purchased a commercial version of Dr Web products Visit Doctor Web Technical Support website at http support drweb com If you encounter any issues installing or using company products take advantage of the following Doctor Web support options e Download and review the latest manuals and guides at http download drweb com doc e Read the frequently asked questions at http support drweb com e Browse
111. or connection You can port specify either a specific port number Equals or a port range In range To apply the rule for all ports select Any 2 When you finish adjusting the settings click OK to save changes or Cancel to reject them 10 3 2 Parent processes To allow or forbid processes or applications to run other applications you have to set up appropriate rules on Parent processes page 10 Dr Web Firewall Parent application settings Application Path SYSTEM C Windows System32 services exe C Windows System32 wininit exe C Windows System32 winlogon exe C Program Files x86 DrWeb dwserv C Program Files x86 Internet Explor C Windows System32 svchost exe C Windows System32 smss exe C Windows System32 userinit exe C Windows System32 cmd exe C Program Files x86 DrWeb spidera C Windows explorer exe C Program Files x86 DrWeb spidera Z System process Z Services and Controller app Z Windows Start Up Application a Windows Logon Application Z Dr Web Control Service Internet Explorer T host Process for Windows Se Z Windows Session Manager Tuserinit Logon Application EBM Windows Command Processor amp spider Agent for Windows a Windows Explorer splDer Agent admin mode mo M To add rule for parent process 1 Choose parent process e To add new rule for an application click New and browse for program executable e To add new rule fo
112. ows Scan your computer file system with the default maximum scanning detail settings Keep default settings of SpIDer Guard Perform complete e mail scanning with SpIDer Mail Perform scanning of incoming HTTP traffic with SpIDer Gate Block all unknown connections with Dr Web Firewall Perform a periodic complete scan of your PC that coincides with when virus database updates are issued at least once a week Immediately perform a complete scan whenever SpIDer Guard has been temporarily disabled and the PC was connected to the Internet or files were downloaded from removable media databases and other program files regularly preferably every Anti virus protection can only be effective if you update the virus hour For more information read Automatic Updating A Q T AN A A v 3 Getting Started 38 3 1 SpIDer Agent After Dr Web Security Space has been installed a SpIDer Agent amp icon is added to the taskbar notification area If you hover the mouse cursor over the icon a pop up appears with information about the components that are running the date of last update and amount of virus signatures in the virus databases Furthermore notifications which are adjusted in the settings see below may appear above the SpIDer Agent amp icon The context menu of the icon allows to perform the main management and settings functions of Dr Web Security Space About Register license My Dr We
113. r operating system deleting at all detected threats be neutralized immediately Dr Web Scanner will apply 7 4 Scanning completed Dr Web Scanner detected threats It is Threats detected 25 Threats neutralized 0 File name Threat Action Path z movie1402 exe BackDoor Tdss based 7 Cure B C Col_TDSS 317 moviel402 exe dogma exe BackDoor Tdss based 7 Cure C Col_TDSS 318 dogma exe x force_generator BackDoor Tdss based 7 Cure z C Col_TD x force_generator exe serial exe BackDoor Tdss based 3 Cure C Col_TDSS 314 serial exe movie exe BackDoor Tdss based 7 Cure x C Col_TDSS 313 movie exe tdss320 exe BackDoor Tdss based 7 Cure fizi C Col_TDSS 320 tdss320 exe A Hide additional information To select an action 1 Where necessary select a custom action from the drop down list in the Action field By default Scanner selects a recommended action for the type of detected threat 59 Ta J rQ aX 4 Dr Web Scanner 60 2 Click Neutralize Scanner applies all selected actions to the detected threats Suspicious objects are moved to Quarantine and should be sent A for analysis to the anti virus laboratory of Doctor Web To send the files right click anywhere in the Quarantine windows and select Submit file to Doctor Web Laboratory There are some limitations e For suspicious objects curing is impossible e For objects which are not files boot sectors moving a
114. r an already running process click arrow on New choose running application and select process 2 Set appropriate action e Block to prevent application from running other processes e Allow to permit application to run other processes New process is blocked by default When there is a rule for a parent process and the executable for A this parent process has been changed e g after update then Firewall prompts you to reconfirm the rule and approve further launched of applications by this parent process 128 Ta 1 ax 10 Dr Web Firewall 10 3 3 Network Interfaces On the Interfaces page you can select a rule set to use for filtering packets transmitted through different network interfaces On the Packet rules for interfaces page you can select a packet filtering ruleset to use for each network interface installed on your computer Applications Packet rules for interfaces Parent processes Interfaces represent physical or logical devices which provide connectivity between your computer and networks or mobile devices Through connection interfaces you can gain access to remote resources or provide access to your ineoifeces computer from other devices With Dr Web Firewall you can specify rules for each interface separately Ayanc d Network interface Restore defaults E ocal Area Connection Restore defaults al Adapter Realtek RTL8 102E RTL8 103E Family PCI E Fast Ethernet NIC NDIS
115. r instead of the username in the address For example if you enter example net SpIDer Mail will deliver without scanning the messages from all senders within the example net domain e To ensure delivery of messages sent from email address with a certain user name from any domain use the character instead of the domain name in the address For example if you enter ivanov SpIDer Mail will deliver without scanning the messages from all senders with the i vanov mailbox name Black List If the sender s address is on the black list the message will be automatically regarded as spam e To add a definite sender enter the full email address for example spam domain com All messages received from these addresses will be automatically regarded as spam e Addresses must be divided by the symbol e To add a group of sender addresses enter the mask that determines their names The mask defines template for an object definition It may contain regular characters from the e mail addresses and special character replaces any including the empty one sequence of any symbols For Example the following addresses are available e mailbox domain com e box domain com e mailbox dom 97 Ta J 1 ax 7 Dr Web for Outlook e box dom The symbol can be set at the start or at the end of an address only The symbol is obligatory e To regard as spam messages sent from any email address within
116. r the address see white and black lists filling methods 3 Click OK To change addresses 1 Select the address you want to change and click Edit 2 Change the address 3 Click OK To delete addresses 1 Select the address in the list 2 Click Delete In the Black and White lists window click OK to save changes White List If the sender s address is on the white list the message is not scanned for spam But if domain name of receiver and sender addresses are matched and this domain name is specified in the white list using the sign this letter will be checked for spam e To add a definite sender enter the full email address for example friend mail com This ensures delivery of all messages from this sender e Addresses must be divided by the symbol e To add a group of sender addresses enter the mask that determines their names The mask defines template for an object definition It may contain regular characters from the e mail addresses and special character replaces any including the empty one sequence of any symbols For Example the following addresses are available e mailbox domain com e box domain com Ta 2 1 ax 7 Dr Web for Outlook e mailbox dom e box dom The symbol can be set at the start or at the end of an address A only The symbol is obligatory e To ensure delivery of messages sent from any email address within a domain use the characte
117. red serial number or provide the license key file Click Next The registration data window opens 2 Fill in all necessary fields in the registration form to receive a key file and click Next stratio Step 2 User information Registration name Mr Smith Region United Kingdom City London E mail address mail mail com Subscribe to newsletters Privacy statement online 3 The procedure of receiving the license key will start If the key file is downloaded successfully the window displays an appropriate message and duration of the license Otherwise an error message will appear A AN T v A A 3 Getting Started 35 3 Getting Started The installation program allows you to install the following Dr Web Security Space components on your computer e Scanner GUI and console versions e SpIDer Guard e SpIDer Mail e Dr Web for Outlook e SpIDer Gate e Parental control e Firewall e Automatic Updating Utility e SpIDer Agent e Anti spam e Link Checker The components of Dr Web Security Space use common virus databases and anti virus engine In addition uniform algorithms that detect and neutralize viruses in scanned objects are implemented However the methods of selecting objects for scanning differ greatly which allows these components to be used for absolutely different and mutually supplementary PC protection policies For example
118. rity Space remote control in the context menu of the SpIDer Agent icon in 51 3 Getting Started the taskbar notification area select Tools and then select Anti virus Network item You can review summary information about Dr Web product on selected computer If you have remote access to a computer you can manage settings enable or disable Dr Web components and start an anti virus scan LJ ANTON WIN7EN SplDer Guard Enabled Anti spam Enabled IP 10 4 0 84 SplDer Gate Enabled URL Filter Disabled SplDer Mail Enabled Local access Disabled Firewall Enabled Self protection Enabled Last Update 10 9 2011 To access remote anti virus select a computer in the list and click Connect Enter password specified in settings of the remote anti ats virus An icon for the remote SpIDer Agent s appears in the Windows notification area The user of the remote anti virus will be notified about remote connection The following items to configure and manage remote Dr Web Security Space are available set of components depends on which Dr Web product is installed e About e Register license e My Dr Web e Help e SpIDer Guard e SpIDer Mail e SpIDer Gate e Parental Control 52 Ta N ys 3 Getting Started e Firewall Tools e Update e Enable Disable Self protection The Tools item opens a submenu that provides access to e License Manager e General Settings of Dr Web operation
119. rs and most newly installed software d Add only those apllications to Applications being checked on all ports list that use HTTP protocol Add applications whose network activity should not be checked at all to the Excluded applications list You should only add applications which you trust to this list To add an application to a list click Browse and select the application in a standard window To delete an application from a list select it and click Delete You can enable scanning of data transmitted via secure protocols such as HTTPS To check such data select the Check encrypted traffic HTTPS checkbox under Secure Connections If your client application that uses secure connections does not refer to the default Windows system certificate storage then you need to export Doctor 106 Ta J 1 ax Web SSL certificate 8 SpIDer Gate 107 8 SpIDer Gate 108 Actions SplDer Gate proxy server Application filter Parameters of operation as local proxy Use local proxy server Specify a port number for the SpIDer Gate proxy server You must specify this port in connection s For all applications that use the Internet C use proxy chain If you use another pr onnect to the Internet rits tion parameters Address ort On this page you can specify a port number for the SpIDer Gate proxy server You must specify this port in connection parameters for all applications that use
120. ruses rootkits Trojans spyware adware hack tools and other malicious programs The module architecture of Dr Web Security Space is its significant feature The anti virus engine and virus databases are common for all components and different operating environments At present in addition to Dr Web products for Windows there are versions of anti virus software for IBM OS 2 Novell NetWare Macintosh Microsoft Windows Mobile Android Symbian and several Unix based systems Linux FreeBSD and Solaris Dr Web Security Space uses a convenient and efficient procedure for updating virus databases and program components via the Internet Dr Web Security Space can detect and remove undesirable programs adware dialers jokes riskware and hacktools from your computer To detect undesirable programs and perform actions with the files contained in them standard anti virus components are used Dr Web Security Space includes the following components e Dr Web Scanner for Windows Scanner is an anti virus scanner with graphical interface The program runs on user demand checks the computer for viruses There is also a command line version Dr Web Console Scanner for Windows e SpIDer Guard for Windows also called Monitor or Guard is an anti virus guard The program resides in the main memory checks files and memory on the fly and detects virus like activity e SpIDer Mail for Windows Mail Guard is a
121. rward such messages to special e mail addresses for analysis Messages which are wrongly regarded as spam should be forwarded to vrnonspam drweb com and unblocked spam messages should be forwarded to vrspam drweb com Forward messages as attachments do not include them to the message body Exclusions Page By default SpIDer Mail intercepts e mail traffic of all applications running on your computer automatically On this page you can list applications whose mail traffic you want to exclude from monitoring with SpIDer Mail To add a file folder or mask to the list type its name into the entry field and click Add To enter an existing file name or folder you can click Browse to the right and select the object in a standard file browsing window To remove a file or folder from the list select it in the list and click Remove Interception Page The interception parameters of connections are set up on the Interception page 83 6 SpIDer Mail Interception Connection interception options Intercept connections automatically Interception of standard ports and protocols used by most mail cients Connection Settings Manual connections setup interception ol tandard ports if ar Connection Settings Secure connections El Check encrypted traffic POP3S SMTPS IMAPS By default interception is carried out automatically The list of intercepted addresses can be viewed in an additional window To open it
122. s 7 2 2 Configuring Actions Dr Web for Outlook allows to specify reaction to detection of infected or suspicious files and malicious objects during e mail attachments check To configure the virus check of e mail attachments and to specify the program actions for the detected malicious objects in the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 click Check 90 7 Dr Web for Outlook attachments Check attachments Scan settings amp Infected Cure Not cured Move to quarantine Suspicious Move to quarantine Malware Adware Move to quarantine Dialers Move to quarantine Jokes Move to quarantine Hacktools Move to quarantine Riskware Move to quarantine If check failed Move to quarantine V Check archives recommended In the Check attachments window specify the actions for different types of checked objects and also for the check failure You can also enable disable checking the archives To set actions on virus threats detection use the following options e The Infected drop down list sets the reaction to the detection of a file infected with a known virus e The Not cured drop down list sets the reaction to the detection of a file infected with a known incurable virus and in case an
123. s for known applications are created automatically e Block unknown connections restricted access mode when all unknown connections are blocked For known connections Dr Web Firewall applies the appropriate rules e Allow unknown connections free access mode when all unknown applications are permitted to access networks Ta J i ax 10 Dr Web Firewall 3 Click OK to save changes or click Cancel to close the window without saving changes Learning Mode In this mode you have total control over Dr Web Firewall reaction on unknown connection detection thus training the program while you working on computer When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering rule set for the application If there are no filtering rules Dr Web Firewall prompts you to select a temporary solution or create a rule which will be applied each time Dr Web Firewall detects this type of connection Training Mode In this mode rules for known applications are created automatically For other apllications you have control over Dr Web Firewall reaction When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering rule set for the application If there are no filtering rules Dr Web Firewall prompts you to select a temporary solution or create a rule which will be applied each time Dr Web Firewall detects
124. s of the program upon Dr W nner Settings saj Sar we O Main Actions Exclusions Log Restore defaults a Infected Cure recommended Zij Incurable E Move to quarantine recommended KA Suspicious Move to quarantine recommended EA Adware Move to quarantine recommended z Dialers Move to quarantine recommended X Jokes Move to quarantine recommended Zal C Ta 1 4 Dr Web Scanner 64 ax G detection of viruses or suspicious codes in file archives installation packages and mailboxes applied to these objects as a whole are set up 7 To cure some infected files it is necessary to reboot Windows You can choose one of the following e Restart computer automatically It can lead to loss of unsaved data e Prompt restart Log Page In the Log page you can set up the parameters of the log file Main Actions Exclusions Log Restore defaults Specify logging level Maximum Standard Time of updates Detected errors and threats Scanned objects D Minimum Most parameters set by default should be left unchanged However you can change the details of logging by default the information on infected or suspicious objects is always logged the information on the scanned packed files and archives and on successful scanning of other files is omitted Ta J 1 ash 4 Dr Web Scanner 65 4 4 Scanning in Command Line Mode You can run Scanner in the comm
125. s on the specified drive etter For Console Scanner only QRI d p delete quarantined files on drive lt d gt letter that are older than lt p gt days number If lt d gt is not specified then files are deleted on all drives if lt d gt is not specified then all quarantined files are deleted regarding of their age 0 days For Console Scanner only QNA double quote file names QUIT terminate Dr Web Scanner once scanning completes whenever or not the detected threats are neutralized For Scanner only REP follow symbolic links while scanning Option is disabled by default SCC show content of complex objects Option is disabled by default SCN show name of installation package Option is disabled by default SPN show names of packers Option is disabled by default 155 Ta J i ax Appendices 156 SLS show log on the screen Option is enabled by default For Console Scanner only SPS display scan progress on the screen Option is enabled by default For Console Scanner only SST display object scan time Option is disabled by default TB check boot sectors including master boot record MBR of the hard drive TM check processes in memory including Windows system control area TS check autorun objects including object in the Autorun folder system ini files and Windows registry TR check system restore points W l
126. scredited i e its illegal distribution is uncovered If your key file is blocked due to misuse Updater displays an appropriate warning terminates the update and blocks Dr Web components If the key is blocked contact the dealer from which you purchased Dr Web Security Space After the key file is successfully verified Updater downloads and 150 Ta 1 ax 11 Automatic Updating installs all updated files automatically according to your version of Dr Web Security Space If your subscription terms allow upgrade to newer software versions Updater also downloads and installs a new version of Dr Web Security Space when released After an update of Dr Web Security Space executable files or libraries a program restart may be required In such cases Updater displays an appropriate warning d Scanner SpIDer Guard and SpIDer Mail start using the updated databases automatically When the Updater is launched in the command line mode the command line parameters can be used see Appendix A 151 Ta J 1 ax Appendices Appendices Appendix A Command Line Parameters Additional command line parameters switches are used to set parameters for programs which can be launched by opening an executable file This relates to Scanner Console Scanner and to Dr Web Updater The switches can set the parameters unavailable in the configuration file and have a higher priority then the parameters which are specifi
127. so refers to development language e Java viruses designed for the Java virtual machine Script viruses Prefixes of viruses written in different scrip languages e VBS Visual Basic Script Ta J i ys Appendices JS Java Script Wscript Visual Basic Script and or Java Script Perl Perl PHP PHP BAT MS DOS command interpreter Trojan horses Trojan a general name for different Trojan horses Trojans In many cases the prefixes of this group are used with the Trojan prefix PWS password stealing Trojan Backdoor Trojan with RAT function Remote Administration Tool a _ utility for remote administration IRC Trojan which uses Internet Relay Chat channels DownLoader Trojan which secretly downloads different malicious programs from the Internet MulDrop Trojan which secretly downloads different viruses contained in its body Proxy Trojan which allows a third party user to work anonymously in the Internet via the infected computer StartPage synonym Seeker Trojan which makes unauthorized replacement of the browser s home page address start page Click Trojan which redirects a user s browser to a certain web site or sites KeyLogger a spyware Trojan which logs key strokes it may send collected data to a malefactor AVKill terminates or deletes anti virus programs firewalls etc KillFiles KillDisk DiskEraser deletes certain files a
128. sses to network resources You can create rules for both system and user applications The Application filter settings page lists all applications and processes for which there is an application filter rule set Each application is explicitly identified by the path to its executable file Dr Web Firewall uses the SYSTEM name to indicate the rule set applied to the operating system kernel the system process for which there is no unique executable file d Dr Web Firewall allows you to create no more than one set of rules per each application 10 Dr Web Firewall Parent prc Applications Application filter settings Rule type Description Path Custom C System process SYSTEM custom C Services and Controller app C Windows System32 services exe Qatiow al 3B nslookup C Windows System32 nslookup exe Custom C Windows Start Up Application C Windows System32 wininit exe Custom C Dr Web Control Service C Program Files x86 DrWeb dwservice exe Custom Internet Explorer C Program Files x86 Internet Explorer je G Custom C HostProcess for Windows Services C Windows System32 svchost exe Custom C Windows Activation Technologies Service C Windows System32 Wat WatAdminSvc Custom C Local Security Authority Process C Windows System32 sass exe G Custom C Dr Web Updater C Program Files x86 DrWeb drwupsrv exe g Allow all SpIDer Agent for Windows C Program Files x86 DrWeb spideragent
129. stalled Dr Web products to use your computer as an update source in the Update mirror click Change and select Create update mirror in the T x A ys 3 Getting Started 44 opened window Specify the path to the folder where updates should be copied If your computer is connected to several networks you can specify IP address available to computers of only one network You can also specify the port for HTTP connections Network access mode On this page you can also configure network access To do this in the Network access mode click Change and then select one of the following modes e If you do not use proxy server for Internet connections select Direct connection e If you want to specify proxy server settings manually select User defined and enter connection parameters Also you can set the Enable detailed logging flag to increase change log detail level All changes are logged into dwupdater log that is located in allusersprofile Application Data Doctor Web Logs folder in Windows 7 Yallusersprofile Doctor Web Logs Ta ww ax 3 Getting Started 45 Advanced Page On this page you can specify self protection parameters and disable miscellaneous operations that may compromise security of your computer If any problems occur during installation of important Microsoft A updates or installation and operation of programs including defragmentation programs disable the corresponding opt
130. t sec gt maximum time to scan unlimited sec WCL drwebwcl compatible output For Console Scanner only X S R set power state shutDown Reboot Suspend Hibernate with reason R for shutdown reboot Action for different objects C cure Q move to quarantine D delete I ignore R inform Ris available for Console Scanner only R is set by default for all objects in Console Scanner AAD X action for adware R possible DQIR AAR X action for infected archives R possible DQIR ACN X action for infected installation packages R possible DQIR ADL X action for dialers R possible DQIR AHT X action for hacktools R possible DQIR AIC X action for incurable files R possible DQR Ta J 1 ax Appendices AIN X action for infected files R possible CDQR AJK X action for jokes R possible DQIR AML X action for infected e mail files R possible QIR ARW X action for riskware R possible DQIR ASU X action for suspicious files R possible DQIR Several parameters can have modifiers that clearly enable or disable options specified by these keys For example AC option is clearly disabled AC AC option is clearly enabled These modifiers can be useful if option was enabled or disabled by default or was set in configuration file earlier Keys with modifiers are listed below AR AC AFS BI DR HA LN LS MA NB
131. tall Dr Web Security Space and contains some words of advice on how to use the program and solve typical problems caused by virus threats Mostly it describes the standard operating modes of the program s components with default settings The Appendices contain detailed information for experienced users on how to set up Dr Web Security Space Due to constant development program interface of your installation can mismatch the images given in this document You can always find the actual documentation at http products drweb com 9 Ta ww ys 1 Introduction 1 2 Document Conventions The following symbols and text conventions are used in this guide Bold Green and bold Green and underlined Monospace Italic CAPITAL LETTERS Plus sign Exclamation mark Names of buttons and other elements of the graphical user interface GUI and required user input that must be entered exactly as given in the guide Names of Dr Web products and components Hyperlinks to topics and web pages Code examples input to the command line and application output Placeholders which represent information that must be supplied by the user For command line input it indicates parameter values In addition it may indicate a term in position of a definition Names of keys and key sequences Indicates a combination of keys For example ALT F1 means to hold down the ALT key while pressing the F1 key
132. that a message will not be sent usually the mail program will save it 75 Ta J 1 aX 6 SpIDer Mail If an unknown virus distributing through e mail is resided on the computer the program can detect signs of a typical behavior for such viruses mass distribution By default this option is enabled SpIDer Mail uses Dr Web Anti spam which allows to scan mail for spam messages By default this option is enabled For information on settings of the spam filter refer to Adjusting Certain Program Settings The default program settings are optimal for a beginner provide maximum protection level and require minimum user interference But some options of mail programs are blocked for example sending a message to many addresses might be considered as mass distribution and mail will not be scanned for spam useful information from their safe text part becomes unavailable if messages are automatically destroyed Advanced users can modify mail scanning parameters and the program s reactions to virus events In certain cases automatic interception of POP3 SMTP IMAP4 and NNTP connections is impossible in such situation the program allows to set up manual interception of connections Dr Web Scanner can also detect viruses in mailboxes of several formats but SpIDer Mail has several advantages e Not all formats of popular mailboxes are supported by Dr Web Scanner In this case when using SpIDer Mail the infected
133. the following execution states for the rule e Enabled apply rule for all matching connection attempts Aq YP 10 Dr Web Firewall 126 A e Disabled do not apply the rule yet Connection type The party which initiates the connection e Inbound apply the rule when someone from the network attempts to connect to the application on your computer e Outbound apply the rule when the application on your computer attempt to connect to the network e Any apply the rule regardless of who initiate the connection Action The action for Dr Web Firewall to perform when the connection attempt is detected e Block packets e Allow packets Rule Settings Protocol The network and transport level protocols used for the connection attempt Dr Web Firewall supports the following network level protocols e IPv4 e IPv6 e IP all any version of IP protocol Dr Web Firewall supports the following transport level protocols e TCP e UDP e TCP amp UDP TCP or UDP protocol Ta 1 aX 10 Dr Web Firewall 127 Inbound Outbound The IP address of the remote host You can address specify either a specific address Equals or several IP addresses using a range In range specific subnetwork mask Mask or masks of all subnetworks in which your computer has network addresses MY_NETWORK To apply the rule for all remote hosts select Any Inbound Outbound The port used f
134. the same computer cannot be obtained A more often than once in four months For a promotion license key file only once a year e Temporary key file is used if you do not install a license or demo key file during installation This key file provides full functionality of Dr Web Security Space components however updating is not available until you have installed license or demo key file Furthermore the My Dr Web and Update items of SpiDer Agent menu will be inaccessible A valid license key file satisfies the following criteria e License is not expired e All anti virus components required by Dr Web Security Space are licensed e Integrity of the license key file has not been violated If any of the conditions are violated the license key file becomes invalid and Dr Web Security Space stops detecting and neutralizing malicious programs 1 4 2 Get Key File The key file can be delivered as a key file or an archive containing such a file You can receive key files in one of the following ways e During installation e Via manual product registration on the official Doctor Web website Within the product distribution kit On a separate data carrier provided by the seller Key files received during installation or within the installation kit are installed automatically You need to install key files received in any other way Ta J 1 aX 1 Introduction To acquire key files via manual registration
135. the table To configure table view 1 Right click the header of the table and select Customize columns 2 In the opened window set the checkboxes next to those items that you want to display in the table or clear the checkboxes next to those items that you want to hide You can also do one of the following e To select checkboxes for all items click Check all e To clear all checkboxes click Uncheck all 3 Use Move up and Move down to change position of a column in the table 4 After editing click OK to save the changes or Cancel to cancel them The left pane serves to filter the quarantine objects to display Click the corresponding option to display all quarantine objects or just specified groups files mail objects web pages or all other objects not classified In the quarantine window only the users with access rights to the files can see these that files Use the following buttons to manage the quarantine e Add add the file to the quarantine Select the necessary file in the opened file system browser e Restore remove the file from the quarantine and restore the original location of the file i e restore the file to the folder where it had resided before it was moved to the quarantine Use this option only when you are sure that the objects are not harmful In the drop down menu you can choose Restore to restore the file to the folder specified by the user Ta J 1 ax 3 Getting Start
136. tion is running in full screen mode on your computer a game or a movie Clear this checkbox to display notification on the same desktop where an application is running in the full screen mode 140 Ta N ax 10 Dr Web Firewall 141 10 3 5 Restoring Defaults On the Restore default settings page you can restore Dr Web Firewall settings to their default values recommended by Doctor Web Restore default settings Application filter settings Replace existing application rules with default application filter rules Advanced Restore defaults Packet filter settings Restore default packet filter rules and apply default rule set to alll interfaces Advanced settings Restore default operating mode and advanced settings OK cance Ape To restore default settings 1 In the Dr Web Firewall settings window select Restore defaults 2 Do one of the following e To restore default application filter settings in the Application filter settings section click Restore defaults e To restore default packet filter settings in the Packet filter settings section click Restore defaults e To set the default Dr Web Firewall operation mode in the Advanced settings section click Restore defaults 3 Click OK to save changes or click Cancel to close the window without saving changes Ta J 1 aX 10 Dr Web Firewall 10 4 Event Logging Dr Web Firewall registers connection a
137. ttempts and network packets in the following logs e Application Filter Log Application journal which contains information on network connection attempts from various applications and rules applied to process each attempt e Packet Filter Log Packet Filter journal which contains information on network packets processed by Firewall rules applied to process the packets and network interfaces used to transmit the packets Details level depends on settings of each packet application rule The Active applications page displays applications currently connected to a network To open logs 1 Click the SpIDer Agent icon S 2 Select Firewall then select Statistics 10 4 1 Active Applications The list of active applications displays information on programs accessing network resources at the moment 142 10 Dr Web Firewall 143 Wcities Active network enabled applications list Name Direction Protocol Local Address Remote Address Sent Received 4 O SYSTEM 4 Listening TCPv4 0 0 0 0 0 0 0 0 Obytes O bytes Listening TCPv4 0 0 bytes 0 bytes Listening TCPv4 0 0 O bytes O bytes Listening TCPv4 5 0 bytes Obytes Listening UDPv4 10 O bytes Obytes Listening UDPv4 5 0 0 0 0 0 bytes O bytes Outbound TCPv4 0 3 0 10 0 0 235 445 1 06 KB 1 05 KB Outbound TCPv4 0 3 0 195 88 252 2 445 1 23 KB 873 bytes Inbound UDPv4 3 255 255 10 3 0 19 137 O bytes 11 5KB Inbound O bytes 1 16 KB Listening TCPv6 0 bytes 0 bytes List
138. unning application and select the process 2 Specify rule type e Allow all all connections will be allowed e Block all all connections will be blocked e Custom in this mode you can create a set of rules that will allow or block different connections 3 If you chose Custom type create filtering rules using the following options e To add a new rule click New The new rules is added to the end of the list e To modify a rule select it and click Edit e To add a copy of a rule select the rule and click Copy The copy is added after the selected rule e To delete a rule select it and click Delete 4 If you selected to create or edit a rule configure rule settings in the opened window 5 Use the arrows next to the list to change the order of rules The rules are applied according to their order in the set Ta 3 N 10 Dr Web Firewall 125 aX 6 When you finish adjusting the settings click OK to save changes or Cancel to reject them Rule Settings Application filtering rules control interaction of a particular application with certain network hosts General Rule name DrWEB Firewall Settings Application http Description Allows to connect to CRL distribution points via http This is used to verify securit red comeetone bound To add or edit a rule 1 Configure the following parameters General Rule name The rule name Description The rule description State One of
139. urity Space on your computer and set a password that will be required to connect to your anti virus from other computers e Protect Dr Web Security Space settings on your computer with a password Set a password that will be required to access settings of Dr Web Security Space Ta yan A A 3 Getting Started 3 3 License Manager License Manager shows information from the Dr Web Security Space key files in an understandable form d The License Manager item is available in the menu when operation in Administrative mode only To open License Manager click the SpIDer Agent icon in the notification area select Tools and then select License Manager Dr Web license Please note that you can own several licenses for Dr Web product All accessible licenses are presented in the list ek Current license 12720753 M Serial Number Owner Aleksey Tarakhti Activation date 3 11 2012 Expiration date 3 13 2013 License file name C Program Files x86 DrWeb 20120405164228 key Dr Web components accessible under license 12720753 SplDer Mail Scanner amp SplDer Guard solder Gate Updater G spider Guard for servers amp Parental Control amp Anti spam Firewall l Get new license v l Online service My Dr Web Delete current license Selected Dr Web Security Space components for your license are specified in the Dr Web antivirus components group box The Online service My Dr
140. virus components on system startup Update Launch all installed anti virus components on system startup recommended Custom components not recommended Advanced SpIDer Mail F SpIDer Gate Sa Update Page On this page you can configure Dr Web Security Space update parameters such as components that should be updated an updating source update period and update mirror 3 Getting Started 43 Settings Update Components Update mode Update rm j Update source Internet recommended Updating components All recommended Z Update frequency 30 minutes Z Network access mode Direct connection Change Advanced Advanced Update mirror Disabled E Enable detailed logging Update source To select an update source click Change In the opened window select one of the following update sources e Internet recommended updates are to be downloaded from Doctor Web servers This source is used by default e Local or network folder updates are to be downloaded from a local or network folder where updates were copied To specify the path to the folder click Browse and select the required folder or enter the address manually Enter the user name and password if necessary e Anti virus Network updates are to be downloaded from a local network computer if Dr Web product is installed and update mirror is created on it Update mirror To allow other local network computers with in
141. which you wish to be installed Click on an icon in the list below to change how a feature is installed Feature Description Ch A comprehensive solution for _ protection of computers running SpIDer Gate under Windows OS from viruses M Parental Control and other types of computer E3 SplDer Guard threats H E r Mail protection E v Updater Install to C Program Fies orwweb Click Next when you finish selecting the necessary components 9 The window for selecting what shortcuts to Dr Web Security Space you want to create will open Select the necessary options and click Next 10 The window for adjusting proxy server settings will open e If you do not use a proxy server choose Do not use proxy server e If you want to specify settings for a proxy server choose Specify proxy server IP and Port manually 2 Installing Dr Web Security Space 29 Specify the settings of the proxy server if necessary If you use a proxy server to access the Internet it is necessary to specify your settings in order for Dr Web Security Space 7 0 to operate correctly Do not use proxy server Specify proxy server IP and Port manually Proxy settings IP address Port User name Password Click Next 11 If in step 6 you specified a valid key file or selected Receive key file during installation then to download the latest virus databases and anti virus
142. zing malicious programs are Cure an action applied to viruses worms and trojans It implies deletion of malicious code from infected files or deletion of a malicious program s functional copies as well as the recovery of affected objects i e return of the object s structure and operability to the state which was before the infection if it is possible Not all malicious programs can be cured However products of Doctor Web are based on more effective curing and file recovery algorithms compared to other anti virus manufacturers Move to quarantine an action when the malicious object is moved to a special folder and isolated from the rest of the system This action is preferable in cases when curing is impossible and for all suspicious objects It is recommended to send copies of such files to the virus laboratory of Doctor Web for analysis Delete the most effective action for neutralizing computer threats It can be applied to any type of malicious objects Note that deletion will sometimes be applied to certain files for which curing was selected This will happen if the file contains only malicious code and no useful information E g curing of a computer worm implies deletion of all its functional copies Block rename these actions can also be used for neutralizing malicious programs However fully operable copies of these programs remain in the file system In case of the Block action all access attempts to or fro
Download Pdf Manuals
Related Search